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Abstract.  We  extend  the  specification  language  of  temporal  logic,  the  corresponding  verification 
framework,  and  the  underlying  computational  model  to  deal  with  real-time  properties  of  reactive 
systems.  The  abstract  notion  of  timed  transition  systems  generalizes  traditional  transition  systems 
conservatively:  qualitative  fairness  requirements  are  replaced  (and  superseded)  by  quantitative 
lower-boimd  and  upper-bound  timing  constraints  on  transitions.  This  framework  can  model  real¬ 
time  systems  that  communicate  either  through  shared  variables  or  by  message  passing  and  real- tune 
issues  such  as  time-outs,  process  priorities  (interrupts),  and  process  scheduling. 

We  exhibit  two  styles  for  the  specification  of  real-time  systems.  While  the  first  approach  uses 
bounded  versions  of  temporal  operators,  the  second  approach  allows  explicit  references  to  time 
through  a  special  clock  variable.  Corresponding  to  the  two  styles  of  specification,  we  present  and 
compare  two  fundamentally  different  proof  methodologies  for  the  verification  of  timing  requirements 
that  are  expressed  in  these  styles.  For  the  bounded-operator  style,  we  provide  a  set  of  proof  rules 
for  establishing  bounded- invariance  and  bounded-response  properties  of  timed  transition  systems. 
This  approach  generalizes  the  standard  temporal  proof  rules  for  verifying  invariance  and  response 
properties  conservatively.  For  the  explicit-clock  style,  we  exploit  the  observation  that  every  time- 
bounded  property  is  a  safety  property  and  use  the  standard  temporal  proof  rules  for  establishing 
safety  properties. 
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1  Introduction 


It  is  self-evident  that  the  most  sensitive  and  critical  among  reactive  systems,  and  therefore  the 
ones  for  which  formal  methods  are  needed  most  direly,  are  real-time  systems.  The  qualitative 
requirement  of  vespousiveness^  that  every  environment  stimulus  p  must  be  followed  by  a  system 
response  is  no  longer  adequate  for  real-time  systems;  it  has  to  be  replaced  by  the  stronger 
quantitative  requirement  of  tijned  responsiveness^  which  imposes  a  bound  on  the  time  interval  that 
is  permissible  between  the  stimulus  p  and  the  response  q.  Temporal  logic  has  been  used  successfully 
for  the  specification  and  verification  of  qualitative  properties  of  reactive  systems  (see,  for  example, 
[Pnu86]  for  a  survey).  Over  the  past  few  years,  there  have  been  several  suggestions  for  extending 
the  expressive  power  of  temporal  logic  to  handle  timing  constraints.  These  attempts  can  be  roughly 
classified  into  two  approaches. 

The  first  approach,  to  which  we  refer  as  the  bounded- operator  approach,  introduces  for  each  tem¬ 
poral  operator,  such  as  O  (^eventually^  one  or  more  time-bounded  versions.  For  example,  while  the 
formula  Oq  asserts  that  the  event  q  will  happen  “eventually”  but  puts  no  time  bound  on  when 
it  will  happen,  the  formula  0<3  q  predicts  an  occurrence  of  q  within  3  time  units  from  now.  The 
early  proposal  [BH81]  can  be  viewed  as  a  precursor  of  this  approach  to  the  specification  of  timing 
properties,  which  is  advocated  in  [KVdIl83,  KdR85,  Koy90],  where  the  bounded-operator  language 
is  called  Metric  Temporal  Logic,  and  in  [SPE84],  Boimded-operator  temporal  logics  are  analyzed 
for  their  complexity  and  expressiveness  in  [EMSS89]  and  in  [AH90,  AFH91]. 

An  alternative  approach  to  the  specification  of  timing  constraints  of  reactive  systems  introduces  no 
new  temporal  operators  but  interprets,  at  each  state,  one  of  the  nonrigid  state  variables  (we  use  the 
variable  t)  as  the  current  time.  We  refer  to  this  approach  as  the  explicit- clock  approach,  because  the 
only  new  element  is  the  ability  to  refer  explicitly  to  the  clock.  Scattered  examples  of  this  method 
of  expressing  timing  properties  are  presented  in  [PdR82],  in  [Ron84],  and  in  [Har88,  PH88].  A 
more  systematic  exposition  of  this  approach  and  its  applications  can  be  found  in  [Ost90],  where 
the  explicit- clock  language  is  called  Real-time  Temporal  Logic.  Explicit-clock  temporal  logics  are 
analyzed  for  their  complexity  and  expressiveness  in  [AH90]  and  in  [HLP90]. 

To  compare  the  two  approaches,  consider  the  requirement  of  a  timely  response  q  to  stimulus  p 
within  at  most  3  time  units.  In  the  bounded-operator  approach,  this  requirement  is  specified  by 
the  formula 

p  0><3?. 

In  the  explicit- clock  approach,  it  is  expressed  by  the  formula 

(pAt  =  r)  o(5At<r  +  3), 

where  the  rigid  variable  T  is  used  to  record  the  time  of  the  p-state. 

The  ma.irt  contribution  of  this  paper  is  the  elaboration  of  two  proof  systems  that  correspond, 
respectively,  to  the  two  styles  for  the  specification  of  timing  requirements. 

It  is  a  well-known  observation  that  with  the  introduction  of  an  explicit- clock  variable,  all  time- 
bounded  properties  can  be  defined  by  safety  formulas  ([Hen91a]).  For  example,  the  timed  response 
property  that,  in  either  style,  is  expressed  above  by  a  liveness-like  formula  (employing  the  liveness 


2 


operator  O)  can  alternatively  be  specified  by  a  formula  that  uses  the  clock  variable  t  and  the  safety 
operator  U  {unless): 

{p  At  =  T)  ^  (t  <  T  +  3)  U  g. 

This  formula  asserts  that  if  p  happens  at  time  T,  then  from  this  point  on  the  time  will  not  exceed 
T  +  3  either  forever  (which  is  ruled  out  by  an  axiom  that  requires  time  to  progress  eventually) 
or  until  q  happens.  Consequently,  q  must  occur  within  3  time  units  from  p.  It  follows  from  this 
translation  that  no  new  proof  rules  are  necessary  for  the  exphcit-clock  style  of  timed  specification; 
all  time-bounded  properties  can,  in  principle,  be  verified  using  a  standard,  iiniform  set  of  timeless 
rules. 

On  the  other  hand,  when  pursuing  the  bounded-operator  style  of  timed  specification,  one  discerns  a 
clear  dichotomy  between  upper-bound  properties  such  as  the  bounded-response  formula  p  — »  <><3  q 
considered  above,  and  lower-bound  properties,  such  as  the  bounded-invariance  formula 

p 

which  states  that  q  cannot  happen  sooner  than  3  time  units  after  any  occurrence  of  p.  While 
upper-bound  properties  assert  that  “something  good”  will  happen  within  a  specified  amoimt  of 
time,  lower-bound  properties  assert  that  “nothing  bad”  will  happen  for  a  certcdn  amoimt  of  time. 
Clearly,  while  the  class  of  upper-bound  properties  bears  a  close  resemblance  to  liveness  properties, 
the  class  of  lower-bound  properties  closely  resembles  safety  properties.  The  proof  system  we  present 
cultivates  this  similarity  by  including  separate  proof  principles  for  the  classes  of  lower-bound  and 
upper-bound  properties.  These  proof  principles  can  easily  be  seen  to  be  natural  extensions  of  the 
standard  proof  rules  for  the  untimed  safety  (invariance)  and  liveness  (response)  classes,  respectively. 

In  our  model,  we  assume  a  global,  discrete,  and  asynchronous  clock,  whose  actions  (clock  ticks) 
are  interleaved  with  the  other  system  actions  ([HMP90]).  In  some  other  work  aimed  at  the  formal 
analysis  of  real-time  systems,  it  has  been  claimed  that  while  this  interleaving  model  of  computation 
may  be  adequate  for  the  qualitative  analysis  of  reactive  systems,  it  is  inappropriate  for  the  real-time 
analysis  of  programs,  and  a  more  realistic  model,  such  as  maximal  parallelism  or  even  continuous 
time^  is  needed  ([KSdIl’^88]).  One  of  the  points  that  we  demonstrate  in  this  paper  is  a  refutation 
of  this  claim.  We  show  that  by  a  careful  incorporation  of  time  into  the  interleaving  model,  we  can 
stiU  model  adequately  most  of  the  phenomena  that  occur  in  the  timed  execution  of  programs.  Yet 
we  retain  the  important  economic  advantage  of  interleaving  models,  namely,  that  at  any  point  only 
one  transition  can  occur  and  has  to  be  analyzed. 

Part  I  discusses  the  modeling  of  real-time  systems  by  transition  systems.  In  Section  2,  we  intro¬ 
duce  the  abstract  computational  model  of  timed  transition  systems.  The  subsequent  two  sections 
illustrate  how  concrete  real-time  systems  and  typical  real-time  phenomena  can  be  mapped  into  this 
model.  We  begin,  in  Section  3,  with  the  representation  of  real-time  processes  that  are  executed  in 
parallel  and  communicate  either  through  a  shared  memory  or  by  message  passing.  Although  the 
timeless  interleaving  of  concurrent  activities  identifies  true  paraUehsm  with  (sequential)  nondeter¬ 
minism,  when  time  is  of  the  essence,  we  can  no  longer  ignore  the  difference  between  multiprocessing^ 
where  each  parallel  task  is  executed  on  a  separate  machine,  and  multiprogramming^  where  several 
tasks  reside  on  the  same  machine.  This  is  because  questions  of  priorities,  interrupts,  and  scheduling 
of  tasks  may  strongly  influence  the  ability  of  a  system  to  meet  its  timing  constraints.  These  issues 
in  modeling  time-sharing  systems  are  discussed  in  Section  4. 
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Part  II  follows  with  techniques  for  the  verification  of  timed  transition  systems.  Section  5  intro¬ 
duces  the  bounded-operator  specification  language,  and  Section  6  presents  a  proof  system  for  this 
language.  In  Section  7,  we  discuss  the  alternative,  exphcit- clock,  approach.  Section  8  concludes  by 
giving  completeness  results  for  both  methods. 


Part  I 

Modeling  Real-time  Systems 

We  define  the  formal  semantics  of  a  real-time  system  as  a  set  of  timed  execution  sequences.  This 
is  done  in  two  steps.  First,  we  introduce  the  abstract  notion  of  timed  transition  systems  and 
identify  the  possible  timed  execution  sequences  (computations)  of  any  such  system.  Then,  we 
consider  concrete  real-time  systems  and  show  how  to  interpret  the  concrete  constructs  within 
the  abstract  model.  We  demonstrate  that  this  framework  can  model  a  wide  variety  of  real-time 
phenomena  that  are  encoimtered  in  practice,  including  the  timed  execution  of  both  multiprocessing 
and  multiprogramming  systems. 

2  Abstract  Model;  Timed  Transition  Systems 

The  basic  computational  model  we  use  is  that  of  transition  systems  ([Kel76,  Pnu77]),  which  we 
generalize  by  imposing  timing  constraints  on  the  transitions.  A  transition  system  S={V,-E,e,T) 
consists  of  four  components: 

1.  a  finite  set  V  of  variables, 

2.  a  set  E  of  states.  Every  state  tr  e  E  is  an  interpretation  of  F;  that  is,  it  assigns  to  every 
variable  x  £V  a  value  (r{x)  in  its  domain. 

3.  a  subset  ©  C  S  of  initial  states. 

4.  a  finite  set  T  of  transitions,  including  the  idle  transition  r/.  Every  transition  r  €  T  is  a  binary 
relation  on  E;  that  is,  it  defines  for  every  state  cr  e  E  a  (possibly  empty)  set  of  r-successors 
T(<r)  C  E.  We  say  that  the  transition  r  is  enabled  on  a  state  a  iff  T(tr)  7^  0.  In  particular, 
the  idle  (stutter)  transition 

Tr  =  {{<^^^)  I 

is  enabled  on  every  state. 

An  infinite  sequence  ^  —  ^0^1  *  *  *  states  is  an  initialized  computation  (execution  sequence,  run) 
of  the  transition  system  5  =  (F,E,  ©,r)  iifit  satisfies  the  following  two  requirements: 

Initiality  ao  €  0. 

Consecution  For  all  i  >  0  there  is  a  transition  t  ^  T  such  that  Ci+i  €  ^(*^t)  (which  is  also  denoted 
by  (Ti  o-j+i).  We  say  that  the  transition  r  is  taken  at  position  i  and  completed  at  position 
id-l. 
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We  incorporate  time  into  the  transition  system  model  by  assuming  that  all  transitions  happen 
“instantaneously/’  while  real-time  constraints  restrict  the  times  at  which  transitions  may  occur.  The 
timing  constraints  are  classified  into  two  categories:  lower-bound  and  upper-bound  requirements. 
They  ensure  that  transitions  occur  neither  too  early  nor  too  late,  respectively.  All  of  our  time 
bounds  are  nonnegative  integers  N .  The  absence  of  a  lower-bound  requirement  is  modeled  by  a  lower 
bound  of  0;  the  absence  of  an  upper-bound  requirement  by  an  upper  bound  of  oc.  For  notational 
convenience,  we  assume  that  oo  >  n  for  all  n  G  M.  A  timed  transition  system  5  =  (F,  S,  0,T, /,u) 
consists  of  an  underlying  transition  system  =  (F,  S,  0,T)  as  well  as 


5.  a  minimal  delay  /r  €  N  for  every  transition  r  £  T.  We  require  that  Irj  ^  0. 

6.  a  maximal  delay  Ur  £  N  U  {oo}  for  every  transition  r  ^  T.  We  require  that  Ur  >  Ir  for  all 
r  and  that  =  oo  if  r  is  enabled  on  any  initial  state  in  0.  In  particular,  Urj  =  oo. 

Let  To  CT  be  the  set  of  transitions  with  the  maximal  delay  0.  To  allow  time  to  progress,  we 
put  a  restriction  on  these  transitions.  We  require  that  there  is  no  sequence 


^0 


To 


CTn 


of  states  and  transitions  such  that  n  >  |7o|  and  £  To  for  all  0  <  i  <  n.  This  condition 
ensures  the  operationality  (machine-closure)  of  timed  transition  systems  ([Hen91a]). 


Timed  state  sequences 

We  model  the  ticks  of  a  fictitious  global  clock  by  the  integers  Z.  A  timed  state  sequence  /?  = 
consists  of  an  infinite  sequence  a  of  states  £  E,  where  i  >  0,  and  an  infinite  sequence  T  of 
corresponding  times  (clock  values)  Tj  G  Z  that  satisfy  the  following  conditions: 

Bounded  monotonicity  For  all  i  >  0, 

either  =  Tj, 
or  Tt+i  =  Ti  +  1  and 

that  is,  time  never  decreases.  It  may  increase,  by  at  most  1,  only  between  two  consecutive 
states  that  are  identical.  The  case  that  the  time  stays  the  same  between  two  identical  states 
is  referred  to  as  a  stuttering  step;  the  case  that  the  time  increases  by  1  is  called  a  clock  tick. 

Progress  For  all  t  >  0  there  is  some  j  >  i  such  that  T*  <  Tj;  that  is,  time  never  stagnates.  Thus 
there  are  infinitely  many  clock  ticks  in  every  timed  state  sequence. 

By  p*  =  (er%P)  we  denote  the  i-th  suffix  of  the  timed  state  sequence  p;  it  consists  of  the  infinite 
sequence  ...  of  states  and  the  infinite  sequence  P  =  ...  of  times.  Note  that  p* 

is,  for  all  i  >  0,  again  a  timed  state  sequence;  that  is,  the  set  of  timed  state  sequences  is  closed 
under  suffixes. 


Timed  execution  sequences 

Just  as  the  execution  sequences  of  transition  systems  are  infinite  state  sequences,  we  model  the 
execution  sequences  of  timed  transition  systems  by  timed  state  sequences.  The  timed  state  sequence 
p  =  (<r,T)  is  an  initialized  computation  of  the  timed  transition  system  S  =  (F,  S,0,T,  Z,u)  iff  the 
state  sequence  o'  is  an  initialized  computation  of  the  underlying  transition  system  5”  and 
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Lower  bound  For  every  transition  r  6  T  and  all  positions  i  >  0  and  j  >  i  with  Tj  <Ti  +  Ir, 

if  r  is  taken  at  position  j, 
then  r  is  enabled  on  Ci. 

In  other  words,  once  enabled,  r  is  delayed  for  at  least  Ir  clock  ticks;  it  can  be  taken  only 
after  being  continuously  enabled  for  Ir  tune  units.  Any  transition  that  is  enabled  initially,  on 
the  first  state  of  a  timed  state  sequence,  can  be  taken  immediately  (as  if  it  has  been  enabled 

forever). 

Upper  bound  For  every  transition  t  G  T  and  position  i  >  0,  there  is  some  position  j  >  i  with 
Tj-  <  T,-  +  Ur  such  that 

either  r  is  not  enabled  on  a  j, 
or  r  is  taken  at  position  j. 

In  other  words,  once  enabled,  t  is  delayed  for  at  most  Ur  clock  ticks;  it  cannot  be  continu¬ 
ously  enabled  for  more  than  Ur  time  units  without  being  taken.  Since  the  maximal  delay  of 
every  transition  that  is  enabled  initially  must  be  oo,  the  first  state  change  of  an  initialized 
computation  may  occur  at  any  (integer)  time. 

The  computations  of  a  timed  transition  system  are  obtained  by  closing  the  set  of  initialized  com¬ 
putations  under  suffixes:  the  timed  state  sequence  p  is  an  computation  of  5  iff  p  is  a  sufiix  of  an 
initialized  computation  of  5. 

Note  that  at  both  stuttering  steps  and  clock  ticks,  the  idle  transition  tj  is  taken.  We  consider  all 
computations  of  the  system  5  to  be  infinite.  Finite  (terminating  as  well  as  deadlocking)  computa¬ 
tions  can  be  represented  by  infinite  extensions  that  add  only  idle  transitions.  The  computations  of 
any  timed  transition  system  are,  furthermore,  closed  imder  stuttering  and  under  shifting  the  origin 
of  time: 

•  The  addition  of  finitely  many  stuttering  steps  to  a  timed  state  sequence  does  not  alter  the 
property  of  being  a  computation  of  5 . 

•  The  addition  of  an  integer  constant  to  all  times  of  a  timed  state  sequence  does  not  alter  the 
property  of  being  a  computation  of  S.  In  other  words,  tuned  transition  systems  cannot  refer 
to  absolute  time.  Thus  we  will  often  sissume,  without  loss  of  generality,  that  the  time  of  the 
first  state  change  of  a  computation  is  0. 

Since  the  state  component  of  any  computation  of  S  is  a  computation  of  the  underlying  untimed 
transition  system  S~,  ordinary  timeless  reasoning  is  sound  for  timed  transition  systems:  every 
untimed  property  of  infinite  state  sequences  that  is  satisfied  by  all  computations  of  5  ,  is  also 
satisfied  by  all  computations  of  S.  The  converse,  however,  is  generally  not  true.  The  timing 
constraints  of  5  can  be  viewed  as  filters  that  prohibit  certain  possible  behaviors  of  S~.  Special 
cases  are  a  miTiima.1  delay  0  and  a  maximal  delay  oo  for  a  transition  r.  While  the  former  does  not 
rule  out  any  computations  of  S~ ,  the  latter  adds  to  S  a  weak-fairness  (justice)  assumption  in 
the  sense  of  [MP89a]:  t  cannot  be  continuously  enabled  without  being  taken.  By  SJ  we  denote 
the  weakly-fair  transition  system  that  is  obtained  from  the  transition  system  S  underlying  S  by 
adding  weak-fairness  requirements  for  all  transitions  with  infimte  maximal  delays. 
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3  Concrete  Model:  Multiprocessing  Systems 

The  concrete  reaJ-time  systems  we  consider  first  consist  of  a  fixed  number  of  sequential  real-time 
programs  that  are  executed  in  parallel,  on  separate  processors,  and  commumcate  through  a  shared 
memory.  We  show  how  time-outs  and  real-time  response  can  be  programmed  in  this  language. 
Then  we  add  message  passing  primitives  for  process  synchronization  and  commimication. 


3.1  Syntax:  Timed  transition  diagrams 
A  shared- variables  multiprocessing  system  P  has  the  form 

Each  process  Pi,  for  1  <  z  <  m,  is  a  sequential  nondeterministic  real-time  program  over  the  finite 
set  Ui  of  private  (local)  data  variables  and  the  finite  set  Us  of  shared  data  variables.  The  formula  6, 
called  the  data  precondition  of  P,  restricts  the  initial  values  of  the  variables  in 

U  =  Us  u  U  Ui. 

l<t<T7l 


The  real-time  programs  Pi  can  be  alternatively  presented  in  a  textual  programming  language  or 
as  transition  diagrams.  We  shall  use  the  latter,  graphical,  representation.  For  this  purpose,  we 
extend  the  imtimed  transition  diagram  language  by  labeling  transitions  with  minimal  and  maximal 
time  delays.  A  timed  transition  diagram  for  the  process  Pi  is  a  fimte  directed  graph  whose  vertices 
Li  =  {4>  •  •  •4.}  sere  called  locations.  The  entry  location  —  usually  4  —  is  indicated  as  follows: 


The  intended  meaning  of  the  entry  location  Cq  is  that  the  control  of  the  process  Pi  starts  at  the 
location  The  component  processes  of  a  system  are  not  required  to  start  synchronously  (i.e.,  at 
the  same  time).  Each  edge  in  the  graph  is  labeled  by  a  guarded  instruction,  a  minimal  delay  I  €  N 
and  a  maximal  delay  «  €  N  U  {oo}  such  that  u>  1: 


where  the  guard  c  is  a  boolean  expression,  i  is  a  vector  of  variables,  and  e  an  equally  typed  vector 
of  expressions  (the  guard  true  and  the  delay  iaterval  [0,  oo]  are  usually  suppressed;  for  the  empty 
vector  nil,  the  instruction  c  ->  nil  :=  nil  is  abbreviated  to  c?).  We  require  that  every  cycle  in  the 
graph  consists  of  no  fewer  than  two  edges,  at  least  one  of  which  is  labeled  by  a  positive  (nonzero) 
maximal  delay. 

The  intended  operational  meaning  of  the  given  edge  is  as  follows.  The  minimal  delay  I  guarantees 
that  whenever  the  control  of  the  process  Pi  has  resided  at  the  location  for  at  least  I  time  units 
during  which  the  guard  c  has  been  continuously  true,  then  Pi  may  proceed  to  the  location  i\.  The 
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Tnavimal  delay  u  ensures  that  whenever  the  control  of  the  process  Pi  has  resided  at  for  u  time 
units  during  which  the  guard  c  has  been  continuously  true,  then  Pi  must  proceed  to  In  doing 
so,  the  control  of  P  moves  to  the  location  4  “instantaneously,”  and  the  current  values  of  e  axe 
askgned  to  the  variables  x.  In  general,  a  process  may  have  to  proceed  via  several  edges  all  of  whose 
guards  have  been  continuously  true  for  their  corresponding  maximal  delays.  In  this  case,  any  such 
edge  is  chosen  nondeterministically.  It  foUows  that  the  control  of  a  process  P.-  may  remain  at  a 
location  4  forever  only  in  one  of  two  situations:  if  4  has  no  outgoing  edges,  we  say  that  Pi  has 
terminated]  if  each  of  the  guards  that  axe  associated  with  the  outgoing  edges  of  the  location  4  is 
false  infinitely  often,  we  say  that  Pi  has  deadlocked.  The  second  condition  is  necessary  (although 
not  sufficient)  for  stagnation,  because  if  one  guard  is  true  forever,  then  the  corresponding  maximal 
delay  u  <  00  guaxcintees  the  progress  of  Pi- 

3.2  Semantics:  Timed  transition  systems 

The  operational  view  of  timed  transition  diagrams  can  be  captured  by  a  simple  translation  into 
the  abstract  model  of  timed  transition  systems.  With  the  given  shared-variables  multiprocessing 
system 

P:  W[Pl||...||Pm], 

we  associate  the  following  timed  transition  system  Sp  =  {V,'E,Q,T,l,u): 

1.  V  =  U  U  {?ri,  ...Vm}-  Each  control  variable  for  where  1  <  i  <  m,  ranges  over  the  set 
Li  U  {±}.  The  value  of  Xi  indicates  the  location  of  the  control  of  the  process  Pi]  it  is  ± 
(undefined)  before  the  process  Pi  starts. 

2.  E  contains  all  interpretations  of  V. 

3.  ©  is  the  set  of  all  states  <r  €  S  such  that  0  is  true  in  a  and  <r(xi)  =  J.  for  all  1  <  t  <  m. 

4.  T  contains,  in  addition  to  the  idle  transition  t/,  an  entry  transition  Tq  for  every  process  Pi, 
where  1  <  i  ^  m,  as  well  as  a  transition  te  for  every  edge  E  in  the  timed  transition  diagrams 
for  Pi, . . . Pm-  In  particular,  a'  €  To((t)  iff 

<r(xi)  =  1  and  tr'(xi)  =  Iq, 

<T'{y)  =  (T{y)  for  all  y  e  V  -  {x*}. 

If  E  connects  the  source  location  4  to  the  target  location  4  and  «  labeled  by  the  instruction 
c  X  :=  e,  then  €  Te(o’)  iff 

(r{vi)  =  4  a»d  <r'(xi)  =  4) 
c  is  true  in  c  and  (r'{x)  =  <r{e), 

(r'(y)  =  cr(y)  for  all  y  €  F  -  {xj,®}. 

If  Tp  is  uniquely  determined  by  its  source  and  target  locations,  we  write 

5.  If  T  is  an  entry  transition,  then  4  =  0.  For  every  edge  E  labeled  by  the  minimal  delay  I,  let 
^  =  /• 

6.  If  T  is  an  entry  transition,  then  Ur  =  00.  For  every  edge  E  labeled  by  the  maximal  delay  u, 
let  Ute  =  n- 
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This  translation  defines  the  set  of  possible  computations  of  the  concrete  real-time  system  P  as  a 
set  of  timed  state  sequences.  The  condition  on  timed  transition  diagrams  that  every  cycle  contains 
at  least  one  positive  (nonzero)  maximal  delay  ensures  that  the  timed  transition  system  Sp  is 
operational. 

For  instance,  the  initialized  computations  of  the  trivial  system  P  that  consists  of  a  single  process 
with  the  timed  transition  diagram 


are  exactly  the  timed  state  sequences  that  result  from  closing  the  two  sequences 

(1,0)  — ^  (4,0)  —  (4,0)  — >  (4,1)  —>•••, 

(±,0)  (4,0)  (4,1)  (4,1)  —  (4,2)  —  ••• 

under  stuttering  and  shifting  the  origin  of  time. 

We  remark  that  oiir  semantics  of  shared- variables  multiprocessing  systems  is  conservative  over  the 
imtimed  case.  Suppose  that  the  system  P  contains  no  delay  labels  (recall  that,  in  this  case,  all 
minimal  delays  are  0  and  all  maximal  delays  are  oo).  Then  the  state  components  of  the  initialized 
computations  of  Sp  are  precisely  the  legcd  execution  sequences  of  P,  as  defined  in  the  interleaving 
model  of  concurrency,  that  are  weakly  fair  with  respect  to  every  transition  ([MP89a]):  no  process 
can  stop  when  one  of  its  transitions  is  continuously  enabled.  Weak  fairness  for  every  individual 
transition  and,  consequently,  progress  for  every  process  is  guaranteed  by  the  maximal  delays  oo. 

3.3  Examples:  Time-out  and  timely  response 

To  demonstrate  the  scope  of  the  timed  transition  diagram  language,  we  model  two  extremely 
common  real-time  phenomena  as  shared-variables  multiprocessing  systems.  In  the  first  example 
{time-out),  a  process  checks  if  an  extemeil  event  happens  within  a  certain  amount  of  time.  In  the 
second  example  {traflic  light),  a  process  reacts  to  an  external  event  and  is  required  to  do  so  within 
a  certain  amount  of  time.  A  third  example  combines  several  processes. 

Time-out 

To  see  how  a  time-out  situation  ceui  be  programmed,  consider  the  process  P  with  the  following 
timed  transition  diagram; 
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When  at  the  location  4,  the  process  P  attempts,  for  10  time  units,  to  proceed  to  the  location  4  bj 
checking  the  value  of  If  the  value  of  x  is  not  found  to  be  0,  then  P  does  not  succeed  and  proceeds 
to  the  alternative  location  £2  after  10  time  units.  The  choice  of  the  maximal  delay  u  determine 
how  often  P  checks  the  value  of  x.  For  example,  if  u  >  10,  then  P  may  not  check  the  value  of  x 
at  all  before  timing  out  after  10  time  units.  If  0  <  u  <  10,  then  P  has  to  check  the  value  of  x  a 
least  once  every  u  time  units.  Consequently,  if  the  value  of  x  is  0  for  more  than  u  time  umts 
wUl  be  detected.  On  the  other  hand,  the  value  of  x  being  0  may  go  undetected  if  it  fluctuates  too 

frequently,  even  in  the  case  of  ti  =  0. 


Traffic  light 

To  give  another  typical  real-time  application  of  embedded  systems,  let  us  design  a  tr^c  h^ht 
controller  that  turns  a  pedestrian  Hght  green  within  5  time  umts  after  a  button  is  P^^shed^  The 
environment  is  given  by  the  following  process  E.  Whenever  the  request  button  is  pushed,  the 
shared  boolean  variable  request  is  set  to  true: 


RecaU  that  the  edge  labels  true"!  and  [0,oo]  are  suppressed;  thus  we  have  no  knowledge  about  the 
frequency  of  requests. 

We  want  to  design  a  traffic  light  controller  Q  that  controls  the  status  of  the  traffic  hght  through 
the  variable  light,  whose  value  is  either  green  or  red.  As  unit  of  time  we  take  the  amoimt  of  time 
it  takes  to  switch  the  hght;  for  simphcity,  we  also  assume  that,  in  comparison,  the  toe  needed  for 
local  operations  within  Q  is  neghgible.  Now  let  us  specify  the  desired  process  Q.  The  controUer  Q 
should  behave  in  such  a  way  that  the  combined  system 

P  :  {request  =  false,  light  =  red} 

satisfies  the  following  two  correctness  conditions: 

{A)  Whenever  request  is  true,  then  light  is  green  within  5  time  units  for  at  least  5  toe  units. 
[B)  Whenever  request  has  been  false  for  25  time  umts,  then  light  is  red. 

The  first  condition,  (A),  ensures  that  no  pedestrian  has  to  wait  for  more  than  5  time  units  to  cross 
the  road  and  is  given  another  5  time  units  to  do  so.  The  second  condition,  {B),  prevents  the  hght 
from  being  always  green. 

It  is  not  hard  to  convince  ourselves  that,  once  it  is  started,  the  following  process  Q  satisfies  the 
specification: 
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request  — > 
request  :=  false 


for  any  delay  4  <  6  <  2Z.  This  implementation  of  the  traffic  light  controller  turns  the  hght  green 
as  soon  as  possible  after  a  request  is  received  and  then  waits  for  S  time  units  before  tummg  the 
light  red  again.  Only  if  the  request  button  has  been  pushed  in.  the  meantime,  the  light  stays  green 
for  another  6  time  units. 


Multiple  traffic  lights 

Let  us  generalize  the  traffic  light  example  and  design  a  system  that  reacts  to  several  external  events. 
We  wish  to  do  so  by  composing,  in  parallel,  processes  that  are  similar  to  (?.  At  this  point  it  is 
convenient  to  accept  some  additional  assumptions  about  the  frequencies  of  the  external  events.  In 
our  example,  we  suppose  that  the  distance  between  any  two  requests  is  at  least  15  time  units;  that 

is, 


Under  this  assumption,  we  can  simplify  the  traffic  light  controller  to 


Q'- 


request  — ^ 
request  :=  false 


^0 


light  :=  red 


[0,0] 


[1,1] 


[1,1] 


light  ;=  green 


for  any  delay  4  <  ^  <  17.  The  combined  system 

P'  :  {request  =  false,  light  =  red}  [E*||(5^] 
still  satisfies  both  correctness  requirements  (A)  and  (B). 

Now  consider  a  more  complex  traffic  Hght  configuration,  with  two  Hghts  and  two  request  buttons. 
In  particular,  we  assume  that  the  second  Hght  is  designed  for  the  special  convenience  of  pedestrians 
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in  a  hurry:  it  is  required  to  turn  green  within  3  time  units  of  a  request  but,  on  the  other  hand, 
has  to  stay  green  for  only  3  time  units.  While  pedestrians  arrive  at  the  first  light  with  a  frequency 
of  at  most  one  pedestrian  every  15  time  units,  we  assume  that  the  more  urgent  requests  are  less 
frequent  —  only  one  every  30  time  units: 


The  controller  for  both  hghts  executes  the  following  two  processes: 


Q2: 


Teguest2 

request2  ~  false 


^0. 


:=  red 


[0,0] 


(S> 


[1,1] 


[ML 


[67,  h] 


light2  green 


If  the  combined  traffic  light  controller  makes  use  of  two  processors  and  the  processes  Qi  and 
axe  executed  in  a  truly  concurrent  fashion,  then  the  correctness  of  the  entire  system 

P||  :  {requesti  =  regttestj  =  fake,  lights  =  light2  =  red}  [i?i||i^2||<3i||<32] 

follows  from  the  correctness  of  its  parts.  Specifically,  if  4  <  <  17  and  2  <  ^2  <  30,  then  all  runs 

of  P||  satisfy  the  following  conditions: 

(Ai)  Whenever  reqaestj  is  true,  then  light-^^  is  green  within  5  time  units  for  5  time  units. 

(A2)  Whenever  request^  is  true,  then  light2  is  green  within  3  time  units  for  3  time  units. 

(Pi)  Whenever  request-^  has  been  false  for  25  time  units,  then  lights  is  red. 

(P2)  Whenever  reqaestj  has  been  false  for  25  time  units,  then  light2  is  red. 
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A  more  interesting  case  is  obtained  if  only  a  single  processor  is  available  to  control  both  lights  and 
the  two  processes  Qi  and  have  to  share  it.  Using  the  interleaving  (shuffle)  operator  of  [Hoa85], 
we  denote  the  resulting  system  P\\\  by  the  expression 

{requesti  =  requesi2  ^fdlse^  lighti  =  light2  =  red}  [i/i||^2||($illlQ2)]* 

Note  that  the  behavior  of  the  environment  Ei\\E2  is  stiU  truly  concurrent  to  the  behavior  of  the 
traffic  light  controller  <3i|||<32,  which  executes  both  processes  Qi  and  Q2  on  a  smgle  processor  m 
an  interleaved  fashion. 

Let  us  assume  that  6^  =  10  and  ^2  =  2,  in  which  case  P,,  is  correct.  However,  if  we  have  no 
knowledge  about  the  strategy  by  which  the  processes  Qi  and  Q2  axe  scheduled  on  the  processor 
they  share,  other  than  that  it  is  fair  (i.e.,  the  turn  of  each  process  will  come  eventually),  then 
Pm  does  not  satisfy  the  specification  consisting  of  the  requirements  (Ai),  (A2),  (Pi),  and  (P2). 
For  suppose  that  the  process  Qi  is  always  given  priority  over  the  process  (52,  and  the  traffic  light 
controller  receives  a  request  for  the  second  light  only  one  time  umt  after  it  has  received  a  request 
for  the  first  light.  Then  it  will  serve  the  first  request  by  turning  light-^  green  and  (busy)  waiting 
for  10  time  units,  thus  violating  (A2).  On  the  other  hand,  if  the  process  Q2  that  serves  the  more 
urgent  yet  less  frequent  requests  is  always  given  priority  over  the  process  Qi,  then  P||i  is  correct. 
This  is  because  of  the  low  frequency  of  requests  for  the  second  hght  only  one  such  request  can 
interrupt  the  service  of  a  request  for  the  first  Ught.  Before  we  discuss  the  modeling  of  priorities 
and  interrupts  in  greater  detail,  let  us  first  introduce  message-passing  operations. 

3.4  Message  passing 

Asynchronous  message  passing  can  be  modeled  by  shared  variables  that  represent  message  channels. 
In  this  subsection,  we  extend  our  timed  transition  diagram  language  by  a  primitive  for  synchronous 
(CSP-style)  message  passing,  which  can  be  used  for  the  synchronization  and  communication  of 
parallel  processes. 

Syntax 

A  [message-passing)  multiprocessing  system  P  has  the  form 

{e}[Pi|l...llP„], 

where  ^  is  a  data  precondition  and  each  process  Pi,  for  1  <  i  <  m,  is  a  sequential  nondeterministic 
real-time  program  over  the  finite  set  Ui  U  of  data  variables  (in  the  case  of  pure  true  message¬ 
passing  systems,  U,  =  0).  We  use  again  timed  transition  diagrams  to  represent  processes,  but 
enrich  the  repertoire  of  instructions  by  guarded  send  and  receive  operations.  The  send  operation 
ale  outputs  the  value  of  the  expression  c  on  the  channel  a.  The  receive  operation  o?x  reads  an 
input  value  from  the  channel  a  and  assigns  it  to  the  variable  x.  A  send  instruction  and  a  receive 
instruction  match  iff  they  belong  to  different  processes  and  address  the  same  channel: 
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For  any  two  matching  communication  instructions  with  the  delay  intervals  [i,u]  and  [/  ],  respec¬ 

tively,  we  require  that  max{l,l')  <  min{u,u'). 

Since  we  use  the  paradigm  of  synchronous  message  passing,  a  send  operation  can  be  executed  only 
jointly  with  a  matching  receive  operation.  Thus  the  intended  operational  meaning  of  the  given  two 
edges  is  as  follows.  Suppose  that,  for  time  units,  the  control  of  the  process  Pi  has  resided 

at  the  location  f  and  the  control  of  the  process  P,'  has  resided  at  the  location  /’•;  and  the  guards  c 
cind  c'  have  been  continuously  true.  Then  P*  and  Pi'  may  proceed,  synchronously,  to  the  locations 
and  respectively.  On  the  other  hand,  if  Pj  has  resided  at  and  Pj*  has  resided  at  iji  and 
the  guards  c  and  c'  have  been  continuously  true  for  min{u,  u')  time  umts,  then  both  processes  must 
proceed.  In  doing  so,  the  current  value  of  e  is  assigned  to  x. 

Semantics 

Synchronous  message  passing  can  be  modeled  formally  by  tuned  transition  systems.  We  define 
the  timed  trsinsition  system  Sp  =  (V^E,0,P, /,'u)  that  is  associated  with  the  given  message¬ 
passing  multiprocessing  system  P  as  in  the  shared- variables  case,  only  that  7"  contains  an  additional 
transition  for  every  matching  pair  of  commumcation  instructions.  Suppose  that  the  two  edges  P 
(from  Pj  to  ll)  and  E'  (from  to  4’,)  “  the  timed  transition  diagrams  for  Pi  and  P,<  are  labeled 
by  the  matching  instructions  c  — ♦  ela  and  c'  — >  a?i,  respectively.  Then 

•  T  contains,  for  the  matching  edges  E  and  E',  a  transition  te,e'  such  that  a'  €  TE,E’{f^)  iff 

<r(xi)  =  4  and  a^Ui)  =  4, 

<r(ir,»)  =  4  and  (T'(ui>)  =  4m 
c  and  c'  are  true  in  <r  and  <t'(x)  =  <r(c), 
tr'(y)  =  (T{y)  for  all  y  €  F  -  x}. 

•  If  the  matching  edges  E  and  E'  are  labeled  by  the  minimal  delays  I  and  /',  respectively,  let 

•  If  the  matching  edges  E  and  E'  are  labeled  by  the  maximal  delays  u  and  u' ,  respectively,  let 
“’■b.b'  =  rnin{u,u'). 

This  translation  defines  the  set  of  possible  computations  of  any  distributed  real-time  system  P 
whose  processes  communicate  either  through  shared  variables  or  by  message  passing. 

Process  synchronization 

Recall  that  the  component  processes  of  the  multiprocessing  system  P1IIP2  may  start  at  arbitrary, 
even  vastly  different,  times.  An  important  apphcation  of  synchronous  message  passing  is  the  syn¬ 
chronization  of  parallel  processes.  Let  Pi  and  P2  be  two  real-time  processes  whose  timed  transition 
diagrams  have  the  entry  locations  il  and  1%,  respectively,  and  let  a  be  a  channel.  Now  consider 
the  two  processes  Pi  and  P2  whose  timed  transition  diagrams  are  obtained  from  the  transition 
diagrams  for  Pi  and  P2  by  adding  new  entry  locations: 
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Pi- 


P7-. 


The  added  message-passing  operations  have  the  effect  of  synchronizing  the  start  of  the  two  processes 
Pi  and  P2  (whenever  message  passing  is  used  for  the  purpose  of  process  synchronization  only,  the 
data  that  is  passed  between  processes  is  immaterial  and  the  data  components  of  the  send  and  receive 
instructions  are  usually  suppressed).  It  follows  that  the  component  processes  of  the  multiprocessing 
system  A  11-^2  start  synchronously,  at  the  exact  same  (arbitrary)  time. 


From  now  on,  we  shall  write  Pi|l,P2  for  the  system  P  whose  component  processes  Pi  and  P2  start 
synchronously;  that  is,  the  notation  Pi|l,P2  is  an  abbreviation  for  the  message-passing  system 
Al|A-  Equivalently,  we  can  directly  define  the  formal  semantics  Sp  of  the  synchronous  multipro¬ 
cessing  system  Pi|l,P2  a,s  containing  a  single  entry  transition  for  both  processes  Pi  and  P2, 
namely,  <r'  £  To’^((7)  iff 


o-{iri)  =  o-(7r2)  =  1, 

<r'(7ri)  =  ll  and  o-'(ir2)  = 

a'ly)  =  (T{y)  for  aU  3/  €  V  -  {iri,7r2}. 

It  is  not  hard  to  generalize  our  notion  of  synchronous  message  passing  to  synchronous  broadcasting, 
which  allows  arbitrarily  many  parallel  processes  to  synchronize  simultaneously  on  joint  transitions. 


4  Concrete  Model:  Multiprogramming  Systems 

While  the  interleaving  model  for  concurrency  identifies  true  parallelism  (multiprocessing)  with 
nondeterminism  (multiprogramming),  the  traffic  light  example  of  the  previous  section  suggests 
that  the  ability  of  a  system  to  meet  its  real-time  constraints  depends  crucially  on  the  number  of 
processors  that  are  available  and  the  process  aUocation  algorithm.  This  is  vividly  demonstrated  by 
the  following  trivial  system  consisting  of  the  two  processes  Pi  and  P2: 


D  .  ^  f  1^  — 

P  *  _ 

[1,1] 

-‘2*  VjL/ 

[1,1] 

If  both  processes  are  executed  in  parallel  on  two  processors,  we  denote  the  resulting  system  by 
P1IIP2  (or  Pi||,P2,  if  the  processes  are  started  at  the  same  time);  if  they  share  a  single  processor 
and  are  executed  one  transition  at  a  time  according  to  some  scheduling  strategy,  the  composite 
system  is  denoted  by  Pi|||P2- 


In  the  untimed  case,  it  is  the  very  essence  of  the  interleaving  semantics  to  identify  both  systems 
with  the  same  set  of  possible  (interleaved)  execution  sequences  —  the  stuttering  closure  of  the  two 
state  sequences  „  „ 

iHA)  ^  M) VUl) - . 
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(a  state  is  an  interpretation  of  the  two  control  variables  tti  and  ira).  Real  tune,  however,  can 
distinguish  between  true  concurrency  and  sequential  nondeterimnism:  if  both  processes  start  s3T1- 
chronously,  then  the  parallel  execution  of  Pj  and  terminates  within  1  time  unit;  on  the  other 
hand,  any  interleaved  sequential  execution  of  Pi  and  P2  takes  2  time  umts.  This  distinction  must 
be  captured  by  our  model: 

1.  In  the  two-processor  case  Pi||,P2,  we  obtain  as  initialized  computations  the  timed  state  se¬ 
quences  that  result  from  closing  the  two  sequences 


(±,1,0)  (4>^o>0) 

(±,±,0)  — > 


(^1,4,2) 

[l\ ,  ,  2) 


under  stuttering  and  shifting  the  origin  of  time  (the  third  component  of  every  triple  denotes 
the  time).  Note  that  the  system  P1IIP2  has  more  initialized  computations,  because  the  time 
difference  between  the  start  of  Pi  and  the  start  of  P2  can  be  arbitrarily  large. 


2.  In  the  time-sharing  case  P1IIIP2,  the  set  of  initialized  computations  will  be  defined  to  be 
essentially  the  closure  of  the  two  sequences 


U,0) 

(^,0) 


(4>^o,0)  ^ 


under  stuttering  and  shifting  the  origin  of  time.  We  write  “essentially,”  because  we  will 
augment  the  states  by  information  about  the  status  of  the  two  processes  (either  active  or 
suspended).  Also,  observe  that  we  have  silently  assumed  that  the  swapping  of  processes  is 
instantaneous  and  that  neither  process  has  priority  over  the  other  process.  All  of  these  issues 
will  be  discussed  in  detail. 


Thus,  when  time  is  of  the  essence,  we  can  no  longer  ignore  the  difference  between  multiprocessing 
and  multiprogramming.  In  this  section,  we  first  show  how  our  model  extends  to  concrete  real-time 
systems  that  consist  of  a  fixed  number  of  sequential  programs  that  are  executed,  by  time-sharing, 
on  a  single  processor.  Then  we  use  our  framework  to  represent  general  multiprogramming  systems, 
in  which  several  processes  share  a  pool  of  processors  statically  or  d3fnamically. 


4.1  Syntax  and  semantics 

A  multiprogramming  system  P  has  the  form 

{e}[Pi\\\--\\\Pn.]. 

Each  process  Pj,  for  1  <  t  <  m,  is  again  a  sequential  nondeterministic  real-time  program  over  the 
finite  set  U  of  data  variables,  whose  initial  values  satisfy  the  data  precondition  6.  We  represent 
the  real-time  programs  Pi  by  timed  trsuisition  diagrams  as  before.  Note,  however,  that  in  the 
multiprogramming  case  the  control  of  the  (single)  processor  resides  at  one  particular  location  of 
one  particular  process.  Thus  the  intended  operational  meanmg  of  the  edge 
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is  as  follows.  The  minimal  delay  I  guarantees  that  whenever  the  control  (of  the  single  processor) 
has  resided  at  the  location  t)  for  at  least  /  time  units  and  the  guard  c  is  true,  then  the  control  may 
proceed  to  the  location  4-  The  maximal  delay  u  ensures  that  whenever  the  control  has  resided 
at  for  u  time  units  and  the  guard  c  is  true,  then  it  must  proceed  to  This  is  because,  in  the 
single- processor  case,  no  other  process  can  interfere  with  the  active  process  and  change  the  value 

of  c. 

The  operational  view  of  the  concrete  model  is  again  captured  formally  by  a  translation  into  timed 
transition  systems.  With  the  given  multiprogramming  system  P ,  we  associate  the  following  timed 
transition  system  Sp  =  (V,  S,  0,  T, /,  u): 

1.  V  =  UU{fi,iri,..  -Tm}-  There  are  two  kinds  of  control  variables:  the  processor  control  variable 
p  ranges  over  the  set  {1, ...  m,  ±};  each  process  control  variable  iti,  ior  1  <  t  <  m,  ranges  over 
the  set  Li  of  locations  of  the  process  Pi-  The  value  of  the  processor  control  variable  p  is  ± 
(undefined)  before  the  (single)  processor  starts  executing  processes.  Thereafter  the  control  of 
the  processor  resides  at  the  location  of  the  process  Pf^ .  We  say  that  is  active,  while  all 
other  processes  Pi,  for  i  ji:  p,  sie  suspended  (if  the  value  of  p  is  undefined,  then  afi  processes 
are  suspended).  The  process  control  variable  x;  of  a  suspended  process  indicates  the  location 
at  which  the  execution  of  Pi  will  resume  when  Pi  gains  control  of  the  processor. 

2.  E  contains  all  interpretations  of  V. 

3.  ©  is  the  set  of  all  states  r  e  S  such  that  6  is  true  in  a,  and  o-{p)  =  ±,  and  cr{Tri)  =  4  ^ll 
1  <  i  <  m. 

4.  T  contains,  in  addition  to  the  idle  transition  rj,  an  action  transition  rp  for  every  edge  E 
in  the  timed  transition  diagrams  for  Pi, ...  Pm-  If  -E  connects  the  source  location  t)  to  the 
target  location  and  is  labeled  by  the  instruction  c  — »  x  e,  then  a  £  Te(<^)  ^ 

(T{p)  =  i, 

o-(iri)  =  4  and  o-'{iri)  =  4, 
c  is  true  in  or  and  <r'{x)  =  <r(e), 

«r'(y)  =  er(y)  for  all  y  £  F  -  {?rt,x}. 

Furthermore,  there  axe  scheduling  transitions  r  £  T  that  change  the  status  of  the  processes 
by  resuming  a  suspended  process:  £  t((t)  implies  that 

<r'(y)  =  (r{y)  for  all  y  £  P. 

The  scheduling  policy  determines  the  set  of  scheduling  transitions.  A  scheduling  transition 
T  is  called  an  entry  transition  iff  it  is  enabled  on  some  initial  states.  We  restrict  ourselves 
to  scheduling  policies  with  a  single  entry  transition.  To,  that  is  enabled  on  all  initial  states. 
Moreover,  we  require  that  cr'  £  ro(o')  implies  that 

(r{p)  =  ±, 

for  all  y  £  F  -  {p}', 
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that  is,  the  entry  transition  To  is  enabled  precisely  on  the  initial  states  and  activates,  perhaps 
nondeterministically,  one  of  the  competing  processes. 

5.  For  every  edge  E  labeled  by  the  minimal  delay  I,  let  Furthermore,  /to  =  0- 

6.  For  every  edge  E  labeled  by  the  maximal  delay  u,  let  Ur^  =  Furthermore,  Uro  =  °°- 

The  computations  of  Sp  clearly  depend  on  the  scheduling  transitions  and  their  delays  In  the 
untimed  case,  the  scheduling  issue  can  be  reduced  to  fairness  assumptions  about  the  schedulmg 
poUcy :  correctness  of  an  untimed  multiprogramming  system  is  generally  shown  for  all  fair  schedulmg 
strategies.  It  makes,  however,  little  sense  to  to  desire  that  a  multiprogramming  system  satisfies 
a  real-time  requirement  under  all  (fair)  scheduling  strategies,  because  the  scheduling  algorithm 
usually  determines  if  a  system  meets  its  timing  constraints.  In  fact,  fair  scheduling  strategies  adim 
thrashing:  by  switching  control  too  often  between  processes,  only  scheduling  transitions  may  be 
performed,  because  no  action  transition  is  enabled  long  enough  so  that  it  has  to  be  taken;  thus 
the  system  may  make  no  real  progress  at  all  and  may  certainly  not  meet  any  real-time  deadlines. 
Consequently,  we  study  the  correctness  of  real-time  multiprogramming  systems  always  with  respect 
to  a  particulsir  given  scheduling  pohcy. 

4.2  Scheduling  strategies 

Our  selection  of  scheduling  strategies  is  neither  intended  to  be  categorical  nor  comprehensive;  we 
simply  try  to  examine  what  we  think  is  a  representative  variety  of  different  scheduling  mechanisim 
and,  in  the  process,  hope  to  convince  ourselves  of  the  utility  of  the  timed  transition  system  model. 
Throughout  this  subsection,  we  assume  a  fixed  multiprogramming  system 

P:  W[Pilll---il|P-] 

and  define  the  scheduling  transitions  of  the  associated  timed  transition  system  Sp  for  various 
scheduling  algorithms. 

Greedy  scheduling 

The  simplest  reasonable  scheduling  strategy,  as  weU  as  our  default  strategy,  is  greedy.  According 
to  this  policy,  the  process  that  is  currently  in  control  of  the  processor  remains  active  until  aU  its 
transitions  are  disabled.  At  this  point  an  arbitrary  other  process  with  an  enabled  transition  takes 
over.  Formally,  the  set  T  of  transitions  of  Sp  contains,  in  addition  to  the  entry  transition  To,  a 
siTiglp  scheduling  transition,  tq,  with  er'  €  tg(o’)  ilf 

er{fi)  ^  ±, 

(r'{y)  =  (r{y)  for  all  y  €  F  -  {m}) 

=  0  for  all  action  transitions  te, 

TEic')  7^  0  for  some  action  transition  te- 

If  there  is  no  cost  associated  with  swapping  processes,  then  Ire  ~  ‘‘^tg  =  0.  If  switching  processes 
is  not  instantaneous,  then  the  minimal  and  maximal  delays  of  tg  should  be  adjusted  accordingly. 
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Scheduling  instructions 

More  flexible  scheduling  strategies  can  be  implemented  with  explicit  scheduling  operations.  For  this 
purpose,  we  enrich  our  programming  language  by  the  instruction  resume{s),  where  s  C  {1, . . .  m} 
determines  a  subset  of  processes.  The  scheduling  operation  resume{s)  suspends  the  currently  active 
process,  say.  Pi  and  activates,  nondeterministically,  one  of  the  processes  Pj  with  j  e  s: 


resu7ne(s) 

[l,u] 


We  write  resume{j)  for  resume{{j})  and  suspend  for  resume{{l  <  J  <  rn  |  j  i});  that  is, 
the  instruction  suspend  delegates  the  control  from  the  currently  active  process  to  any  one  of  the 
competing  processes. 

Formally,  the  set  T  of  transitions  of  5p  contains,  in  addition  to  the  entry  transition  To,  a  scheduling 
transition  te  for  every  resume  edge  E  in  the  timed  transition  diagrams  for  Pi, . . .  Pm-  1^  ^  connects 
the  source  location  to  the  target  location  and  is  labeled  by  the  instruction  c  — ♦  resttme(s), 
then  <t'  €  Tj;(<r)  iff 

(7{fi)  =  i  and  <r'{fi)  6  s, 
o-(iri)  =  Pj  and  (r'(iri)  =  4, 
c  is  true  in  <r, 

r'(y)  =  tr(y)  for  all  y  G  V  - 

Furthermore,  for  every  scheduhng  edge  E  labeled  by  the  minimal  delay  I  and  the  maximal  delay  u, 
l®f  ~  ^  and  —  u. 


Delays  and  timers 
Note  that  the  instruction 


models  a  busy  wait;  the  process  Pi  occupies  the  processor  for  10  time  units  while  waiting.  To 
implement  a  nonbusy  wait,  in  which  Pi  releases  the  processor  to  a  competing  process  for  10  time 
units  before  resuming  execution,  we  use  a  timer  Tjjo.io]  (alsmi  clock)  as  a  parallel  process. 


resume{i) 


t  I—  false 


We  maVp  sure  that  the  timer  Tjio.io]  is  started  (i.e.,  waiting  for  activation)  when  the  process  Pi 
becomes  active.  Then  the  timer  is  activated  by  the  sequence 
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t  :=  true 

[0,0] 


resumejs)  _ 

[0,0] 


In  general,  a  timer  process  marks  nondeterministically  a  time  period  between  /  and  «  time 
units  and  is  executed  in  parallel  to  the  other  processes  of  a  system. 

The  activation  of  the  timer  r[i,u]  is  abbreviated  by  the  delay  instruction 


delav(s) 


The  delay  instruction  aUows  us  to  program  nonbusy  delays  without  explicitly  mentioning  timers; 
we  simply  assume  that  there  exists,  impHcitly,  a  unique  timer  process  for  every  delay  mstruction 
in  a  timed  transition  diagram. 


Round-robin  scheduling 

A  construction  that  is  similar  to  the  timer  example  allows  us  to  implement  a  round-robm  s^eduling 
strategy  for  two  processes  Pi  and  P2  that  share  a  single  processor.  In  the  system  (Pi|||P2)||,5,  the 
scheduler 


5: 


re$u7ne{l) 


gives  each  of  the  two  processes  Pi  and  Pj  in  turn  10  time  units  of  processor  time.  Needless  to  say, 
the  explicit  scheduling  instructions  give  us  the  ability  to  design  more  sophisticated  schedulers  as 

well. 


4.3  Processor  allocation 

Both  the  multiprogramming  system  with  a  timer  and  the  multiprogramming  system  with  a  central 
scheduler  are,  in  fact,  combinations  of  multiprocessing  and  mtiltiprogramming  systems  in  which 
several  tasks  compete  for  some  of  the  processors.  In  these  systems,  the  question  of  scheduling, 
which  determines  the  processor  time  that  is  granted  to  individual  processes,  is  preceded  by  the 
question  of  processor  allocation,  which  determines  the  assignment  of  processes  to  processors.  This 
assignment  can  be  either  static,  if  every  process  is  assigned  to  a  fixed  processor,  or  if  a 

set  of  processes  competes  for  a  pool  of  processors  and  processes  may  reside,  over  time,  at  different 
processors.  We  only  hint  how  this  very  general  notion  of  real-time  system  fits  into  our  framework 
and  can  be  modeled  by  timed  transition  systems.  A  static  (shared- variables  or  message-passing) 
system  P  with  k  processors  is  of  the  form 

{^}[(Pl.llll  •  •  •  )ll  •  •  •  IK^mIII  •  •  •  \\\Pk,mu)]-, 
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that  is,  mi  processes  compete  for  the  i-th  processor.  The  definition  of  the  associated  tiined  tr^sition 
system  Sp  is  straightforward:  every  processor  has  its  own  process  control  variable  Mi,  for  1  _  i  _  fc, 
which  ranges  over  the  set  of  competing  processes  rrii,  -L}  and  designates  the  ac  ive  process. 

Furthermore,  every  processor  operates  according  to  a  local  scheduling  poUcy  with  a  smgle  entry 

transition  Tq,  for  1  <  i  <  fc. 

To  model  systems  in  which  a  process  competes  for  more  than  one  processor,  we  simply  write 

for  the  dynamic  system  in  which  m  processes  compete  for  k  processors  according  to  some  global 
processor  allocation  and  scheduling  pohcy.  To  define  dynamic  systems,  it  is  useful  to  have  a  inore 
general  scheduhng  instruction,  resume{s,x),  which  interrupts  the  process  that  is  currently  active 
on  processor  x  and  activates,  on  processor  x,  one  of  the  processes  from  the  set  s. 


4.4  Priorities  and  interrupts 

While  the  scheduling  instruction  resume  gives  us  the  flexibility  to  design  a  scheduler,  we  often  wish 
to  adopt  a  simple,  static  scheduling  strategy  without  having  to  explicitly  construct  a  scheduler.  In 
this  subsection,  we  offer  this  possibility  by  generalizing  the  greedy  strategy.  We  assign  a  priority  to 
every  transition,  and  at  any  point  in  a  computation,  choose  only  among  the  transitions  with  the 
highest  priority.  If  the  transition  with  the  highest  priority  belongs  to  a  suspended  process,  then 
the  currently  active  process  is  interrupted  and  the  execution  of  the  suspended  process  is  resumed. 

A  priority  system  P  is  a  (shared-variables  or  message-passing,  static  or  dynamic)  system  in  which 
a  priority  is  associated  with  every  instruction;  that  is,  with  every  edge  m  the  timed  transition 
diagrams  for  P.  We  use  nonnegative  integers  as  priorities  (0  being  the  highest  priority)  and  annotate 
an  edge  with  a  priority  p  G  N  as  follows: 


We  formalize  the  priority  semantics  only  for  simple  multiprogramming  systems;  the  generalization 
to  systems  with  several  processors  is  straightforward.  With  a  given  priority  system 

P: 

we  associate  the  following  timed  transition  system  Sp  = 

•  y,  S,  and  0  axe  as  before. 

•  T  contains,  in  addition  to  t/,  an  action  transition  te  for  every  assignment  edge  E  in  the 
transition  diagrams  for  Pi, . . .  Pm-  If  E  connects  the  source  location  to  the  target  location 

and  is  labeled  by  the  instruction  p:  c  x  :=  e,  then  tr  iff 

a-{'Ki)  =  t)  and  (T'(irf)  =  t)^, 
c  is  true  in  a  and  <r'(jc)  =  0'{e), 

(r'{y)  =  cr{y)  for  all  p  6  V  —  {fi,Ti,  ®}. 
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Then  cr'  G  ts(o')  iff 

(T  —^E  =  <^'if^)  —  * 

there  is  no  edge  E'  that  is  labeled  by  a  higher  priority  p'  <  p  such  that  a  -^e' 
for  some  <t". 

For  any  matching  pair  of  communication  edges  E  and  E'  that  are  labeled  by  the  priorities  p 
and  p',  respectively,  we  take  the  higher  priority  min{p,p')  for  the  combined  transition  te,e' 
(although  this  choice  is  arbitrary  and  may  be  reversed,  if  the  need  arises). 

Furthermore,  there  is,  in  addition  to  the  entry  transition  To,  a  scheduling  transition  rp  such 
that  a'  €  Tj>(<r)  iff 

a{p)  /  ±, 

=  <^{y)  for  all  1/  e  F  -  {/i}, 
te[<t)  =  0  for  all  action  transitions  te, 

TE[cr*)  0  for  some  action  transition 

•  Let  Irs  and  Ur^  be  as  before,  and  choose  Irp  and  Urp  to  represent  the  cost  of  swapping 
processes. 

Note  that  if  all  transitions  have  equal  priority,  then  the  scheduling  strategy  is  greedy  (that  is, 
tq  =  Tp).  Thus  priorities  generalize  our  previous  discussion  conservatively:  all  systems  can  be 
viewed  as  priority  systems  whose  instructions  have  the  same  default  priority,  unless  they  are  anno¬ 
tated  with  expbcit  priorities. 

Dynamic  priorities 

Priorities  can  be  combined  with  explicit  scheduling  operations  in  the  obvious  way.  It  is,  however, 
often  more  convenient  to  model  d)mamic  scheduling  strategies,  which  change  over  time,  by  dynamic 
priorities,  which  can  be  modified  by  any  process  during  execution.  Dynamic  priorities  offer  exciting 
possibilities,  such  as  the  abihty  of  a  process  to  increase  or  decrease  its  own  priority.  Moreover,  they 
are  easily  incorporated  into  our  framework.  We  simply  use  data  variables  that  range  over  the 
noimegative  integers  INI  as  priorities.  Instead  of  giving  the  formal  semantics  of  dynamic  priorities, 
which  is  constructed  straightforwardly  from  the  semantics  of  constant  (static)  priorities,  we  present 
an  interesting  real-time  application  of  dsmamic  priorities. 

We  have  not  yet  pointed  out  that  our  interpretation  of  message  passing  is  not  entirely  conservative 
over  the  untimed  case:  there  the  set  of  legal  execution  sequences  usually  is  restricted  by  strong- 
fairness  assumptions  for  communication  transitions  ([MP89a]).  This  is  convenient  for  the  study 
of  time-independent  properties  of  a  system,  where  simple  fairness  assumptions  about  nondeter- 
ministic”  branching  points  abstract  complex  implementation  details.  Consider,  for  example,  the 
multiprocessing  system  Pi|lP2||<?  tffat  consists  of  the  following  three  processes  Pi,  P2,  and  <?: 
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5? 


(Recall  that  we  may  omit  the  data  components  of  message-passing  operations,  if  they  are  im¬ 
material.)  The  arbiter  Q  mediates  between  the  two  processes  Pi  and  P2  and  uses  synchronous 
communication  on  the  two  channels  a  and  to  ensure  mutual  exclusion:  Pi  and  Pj  can  never  be 
simultaneously  in  their  critical  sections  and  l\,  respectively. 

Strong- fairness  assumptions  on  the  communication  transitions  are  used  to  guarantee  that,  in  addi¬ 
tion  to  mutual  exclusion,  neither  of  the  two  processes  Pi  and  P2  is  shut  out  from  its  critical  section 
forever:  the  arbiter  cannot  always  prefer  one  process  over  the  other.  Any  such  mfimtary  fairness 
assumption,  however,  is  clearly  without  bearing  on  the  satisfaction  of  a  real-time  requirement  such 
as  the  demand  that  a  process  has  to  wait  at  most  10  time  units  before  being  able  to  enter  its 
critical  section.  As  has  been  the  case  with  scheduling,  we  encounter  again  a  situation  in  which  the 
infinitary  notion  of  “fairness”  is  adequate  for  proving  untimed  properties,  yet  entirely  inadequate 
for  proving  timiTig  constraints.  To  verify  compliance  with  real-time  requirements,  we  can  no  longer 
forgo  an  explicit  description  of  how  the  arbiter  Q  decides  between  the  two  processes  Pi  and  P2 
when  both  are  waiting  to  enter  their  critical  sections.  For  instance,  the  following  refinement  Q'  of 
Q  never  makes  the  same  “nondeterministic”  choice  twice  in  a  row: 


(We  use  semicolons  to  concatenate  instructions;  the  default  value  of  priorities  is  assumed  to  be  0.) 
The  arbiter  Q’  modifies  the  priorities  p  and  q  of  its  nondeterministic  alternatives  to  ensure  that 
the  system 

{y  =  5=0)IA||Wl 

satisfies  the  requirement  that  each  process  has  to  wait  at  most  10  time  units  before  being  able  to 
enter  its  critical  section.  Note  that  none  of  the  two  nondeterministic  alternatives  is  ever  disabled, 
but,  at  any  time,  one  of  them  is  ‘‘preferred.” 

Finitary  branching  fairness 

Since  infinitary  fairness  assumptions,  such  as  weak  fairness  for  scheduling  and  strong  fairness  for 
synchronization,  are  insufficient  to  guarantee  the  satisfaction  of  real-time  deadlines,  one  may  choose 
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to  add  fmitaxy  branching  conditions  to  timed  transition  systems.  Such  a  finitary  notion  of  fairness 
would  restrict  the  nondeterminism  of  a  system.  We  may  want  to  require,  for  example,  that  no 
competitor  of  a  transition  r  can  be  taken  more  than  n  times  without  t  itself  being  taken  (a 
similar  concept  has  been  called  hounded  fairness  in  [Jay88]).  We  prefer,  both  for  scheduhng  and 
synchronization,  an  explicit  description  of  the  selection  process  to  such  implicit  assumptions.  Since 
all  selection  processes  that  we  have  found  useful  can  be  described  within  our  language,  we  see  no 
need  to  introduce  additional  concepts  that  would  only  complicate  any  verification  methodology. 


Part  II 

Verifying  Real-time  Systems 

We  define  a  formal  language  that  is  interpreted  over  timed  state  sequences.  This  language  is  used 
to  specify  timed  transition  systems:  a  timed  transition  system  5  meets  the  specification  ^  iff  all 
initialized  computations  of  S  satisfy  <j>.  We  present  two  proof  methodologies  bounded-operator 
reasoning  and  explicit-clock  reasoning  —  for  verifying  that  a  timed  transition  system  meets  its 
specification.  Relative- completeness  results  are  given  for  both  proof  techniques. 


5  Specification  Language 

As  a  specification  language,  we  use  an  extension  of  linear  temporad  logic  with  time-boimded  tempo¬ 
ral  operators.  We  distinguish  between  state  formulas,  which  assert  properties  of  individual  states 
of  a  computation,  and  temporal  formulas,  which  assert  properties  of  entire  computations. 


5.1  State  formulas 

Let  5  =  {F,E,©,T',/,tt)  be  a  timed  transition  system.  Typically  5  is  associated  with  a  concrete 
real-time  system  that  belongs  to  one  of  the  classes  we  have  discussed  in  Part  I.  Throughout  this 
part,  we  use  the  following  additional  assumptions  about  the  set  V  of  variables: 

•  ^^e  assume  that,  in  addition  to  data  and  control  variables,  V  contains  sufficiently  many 
auxiliary  variables  that  range  over  the  integers  Z  and  are  not  changed  by  any  of  the  transitions 
of  S.  We  will  on  occasion  need  a  “new,  rigid”  variable,  and  for  this  purpose  we  employ  one 
of  the  auxiliary  variables  that  have  not  been  used  previously. 

•  We  assume  that,  for  every  variable  *  €  V,  there  is  a  corresponding  unique  primed  variable 
x'  that  ranges  over  the  same  domain  as  x. 

We  are  given  an  assertion  language  —  a  first-order  language  with  equality  that  contains  interpreted 
function  and  predicate  symbols  to  express  operations  and  relations  on  the  domains  of  the  variables 
in  V.  A  state  formula  is  a  first-order  formula  p  of  the  assertion  language  such  that  only  variables 
from  V  occur  freely  in  p.  Thus,  every  state  in  S  provides  an  interpretation  for  the  state  formulas. 
If  the  state  formula  p  is  true  in  state  c,  we  say  that  c  is  a  p-state. 

We  use  the  following  abbreviations  for  state  formulas: 
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•  For  any  transition  t  £  'T,  the  enabling  condition  en<ibled(T'^  asserts  that  t  is  enabled.  In 
particular,  enabled[Ti)  abbreviates  true  for  the  idle  transition  t/. 

•  For  any  transition  t  £  7  and  state  formulas  p  and  q,  the  verification  condition  {p}'r{9} 
asserts  that  if  p  is  true  of  a  state  (t  €  S,  then  q  is  true  of  aU  r-successors  of  a.  In  particular, 
{p]Tj{q)  stands  for  the  universal  closure  of  the  formula  p  q.  For  any  set  T  C  T  of 
transitions,  we  write  {p}T  {g}  for  the  conjunction 

A 

t€T 

of  all  individual  verification  conditions. 

•  For  any  transition  t  £  T  and  state  formulas  p  and  q,  the  inverse  verification  condition 
{p]t-  {g}  asserts  that  if  p  is  true  of  a  state  €  S,  then  g  is  true  of  all  r-predecessors 
of  (T.  Observe  that  all  inverse  verification  conditions  are  definable  by  ordinary  verification 
conditions: 

{p}T"{g}  is  equivalent  to  {-'g}'?' {->p}. 

In  particular,  {p}Tfi  {g}  is  equivalent  to  {p}rj{q}  for  the  idle  transition  r/.  For  any  set 
T  C  T  of  transitions,  we  write  {p}T~  {g}  for  the  conjunction  of  the  inverse  verification 
conditions  for  all  transitions  in  T . 

Note  that  while  the  truth  Vcdue  of  an  enabling  condition  depends  on  the  state  in  which  it  is  inter¬ 
preted,  the  verification  conditions  are  state-independent  and,  thus,  equivalent  to  closed  formulas. 

In  the  case  that  the  timed  transition  system  5  is  associated  with  a  shared- variables  multiprocessing 
system  P,  it  is  not  hard  to  see  that  the  enabhng  and  verification  conditions  of  aU  transitions  can 
indeed  be  expressed  by  state  formulas.  Suppose  that  P  consists  of  the  m  processes  Pj,  for  1  <  i  <  m, 
and  the  data  precondition  6,  which  is  a  state  formula: 

Let  us  assume  that  each  process  Pj,  for  1  <  t  ^  m,  is  given  by  a  timed  transition  diagram  wth 
the  locations  ^nd  the  entry  location  We  write  for  Xj  =  J.,  and  atJ’j  for 

Xi  =  ly,  that  is,  the  control  of  the  process  Pi  is  at  the  location  t).  We  abbreviate  any  disjunction 
atjPj  V  atjP)^  further,  to  atJP^  f^. 

1.  For  each  entry  transition  Tq  £  7  oi  Sp,  the  enabling  condition  enabled(TQj  is  equivalent  to 
the  state  formula 

atjty, 

and  the  verification  condition  {p}  Tq  {g}  is  equivalent  to  the  universal  closure  of  the  formula 
(p  A  enabled{ry)  A  A  f\  in'  ~  n))  » 

y€V-{»i} 

where  the  formula  g'  is  obtained  from  g  by  replacing  every  variable  with  its  primed  version; 
for  example,  (at  jj,)'  stands  for  x?  =  ty  The  inverse  verification  condition  {p}  (r^)"  {g}  is 
equivsdent  to  the  universal  closure  of 

(p'  A  enahled{Tl)  A  {aiJ^)'  A  A  ~ 
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2.  All  other  nonidle  transitions  of  Sp  correspond  to  edges  in  the  timed  transition  diagrams  for 
the  processes  Pi.  Let  £  T  he  such  a  transition  and  assume  that  the  corresponding  edge 
that  connects  the  location  ij  to  the  location  is  labeled  by  the  instruction  c  — >  x  :=  e. 
Then,  the  enabhng  condition  enabled is  equivalent  to 

atJ^j  A  c, 

and  the  verification  condition  {p}  equivalent  to  the  universal  closure  of  the  formula 

(p  A  enabled{ri^k)  ^  [at A)'  A  (i  =  e)  A  /\  [y'  =  y))  ^  q' ■ 

The  inverse  verification  condition  {p}  {q}  is  equivalent  to  the  universal  closure  of 

{p'  A  enabled{T}^k)  A  {at A)'  A  (i'  =  e)  A  /\  {y'  =  y))  q- 

yeV-{ni,x} 

It  is  also  straightforward  to  express  the  enabling  and  verification  conditions  as  state  formulas,  if  the 
timed  transition  system  S  is  associated  with  any  of  the  other  concrete  real-time  systems  that  we 
discussed  in  Part  I,  such  as  message-passing,  multiprogramming,  dynamic,  and  priority  systems. 

Synchronous  multiprocessing  systems 

Our  examples  will  be  drawn  from  timed  transition  systems  S  that  are  associated  with  multipro¬ 
cessing  systems  P  of  the  form 

{e}[Pi\U.^A\sPml 

all  of  whose  component  processes  start  synchronously  (i.e.,  at  the  exact  same  time).  We  call  such 
a  system  synchronous  and  model  it  by  a  single  entry  transition  that  sets  all  control  variables, 
simultaneously,  to  the  entry  locations  of  the  individual  processes.  For  multiprocessing  systems  P, 
it  is  convenient  to  define  the  following  two  additional  abbreviations  for  state  formulas: 

•  The  ready  condition  ready  holds  precisely  in  the  imtial  states  ©  of  Sp]  it  indicates  that  none 
of  the  processes  of  P  has  started  yet.  Consequently,  ready  stands  for  the  state  formula 

0  A  (  A 

l<t<Tn 

•  The  synchronous  starting  condition  start  indicates  that  all  processes  of  P  have  entered  then- 
entry  locations,  but  none  has  proceeded  any  further^  that  is,  start  abbreviates  the  state 
formula 

e  A  {  /\  at  A). 

l<t<Tn 

Note  that  if  P  is  synchronous,  then  the  two  verification  conditions 

{ready}  T  -tj  {start}, 

{start}  (T  -  T/)“  {ready} 

are  valid  (by  T  -  t  we  denote  the  set  difference  T  -  {r}). 
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5.2  Temporal  formulas 

Temporal  formulas  axe  constructed  from  state  formulas  by  boolean  connectives  and  time-bounded 
temporal  operators.  They  are  interpreted  over  timed  state  sequences.  In  this  paper,  we  are  in¬ 
terested  in  proving  two  important  classes  of  real-time  properties  bounded-invariance  properties 
and  bounded- response  properties.  Thus  we  restrict  ourselves  to  the  following  temporal  formulas. 

•  Every  state  formula p  is  a  temporal  formula;  it  is  true  over  the  timed  state  sequence  p  —  (^jT) 
iff  the  initial  state  ao  is  a  p-state. 

•  Every  boolean  combination  of  temporal  formulas  is  a  temporal  formula,  whose  truth  over  a 
timed  state  sequence  is  determined  from  the  truth  of  its  components  in  the  standard  way. 

•  If  p  is  a  state  formula,  (f)  a  temporal  formula,  and  /  €  N,  then  pU>/  ^  is  a  temporal  formula; 
it  is  true  over  the  timed  state  sequence  p  =  (^jT)  iff  either  aU  for  i  >  0,  are  p-states,  or 
there  is  some  position  i  ^  0  such  that  >  To  +  3Jid  (j>  is  true  over  the  t-th  suffix  p  of  p, 
and  all  <7^,  for  0  <  ;  <  i,  axe  p-states.  We  use  the  abbreviations  p  U  □<;p,  and  pU^^  (t>  for 
the  formulas  p  U>o  p  U>/  irue^  and  p  A  (p  U>/  ^),  respectively. 

•  If  ^  is  a  temporal  formula  and  tz  G  N,  then  0<tx  ^  is  a  temporal  formula;  it  is  true  over  the 
timed  state  sequence  p  =  (^jT)  iff  there  is  some  position  i  >  0  such  that  <  To  +  u  and  <j> 
is  true  over  the  i-th  suffix  p^  of  p. 

Temporal-logic  aficionados  will  readily  recognize  the  operators  [}>i ,  ,  and  0<u  as  time-bounded 

versions  of  the  standard  (untimed)  urdess^  always,  and  eventually  operators.  In  particular,  the 
formula  p  U>o  Q  is  true  over  a  timed  state  sequence  p  =  (<t,T)  iff  the  untimed  unless  formula  pU  5 
is  true  over  the  state  component  a  of  p: 

either  all  Ci,  for  i  >  0,  axe  p-states, 

or  there  is  some  position  i  >  0  such  that  q  is  true  over  the  i-th  suffix  cr*  of  c  and  all  Cj, 
for  0  <  j  <  i,  are  p-states. 

For  a  general  addition  of  time-bounded  operators  to  linear  temporal  logic,  see  [AH90].  From  now 
on,  we  use  the  convention  that  the  letters  p,  g,  r  as  well  as  <p  (and  primed  versions)  denote  state 
formulas,  while  the  letters  <f>,  rp,  and  x  stand  for  arbitraxy  temporal  formulas. 

S-validity  and  5-soundness 

We  say  that  a  temporal  formula  <l>  is  S -valid  iff  it  is  true  over  all  computations  of  the  timed 
transition  system  5.  While  (general)  validity  —  truth  over  all  timed  state  sequences  implies 
5-validity  for  every  system  5,  the  converse  does  not  necessarily  hold.  In  fact,  even  a  state  formula 
p  that  is  5-valid  may  not  be  true  in  some  states  of  5  that  do  not  occur  along  any  run  of  5  and, 
hence,  p  may  not  be  generally  valid.  If  a  formula  (j>  is  5-valid,  then  it  is,  by  definition,  satisfied  by 
all  initialized  computations  of  5.  Thus,  to  show  that  the  given  system  5  meets  the  specification  (f), 
it  suffices  to  show  that  (j)  is  5-valid. 

A  proof  rule  is  called  S- sound  iff  the  5- validity  of  all  premises  imphes  the  5- validity  of  the  conclu¬ 
sion.  Any  5-sound  rule  can  be  used  for  verifying  properties  of  the  given  system  5. 
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Bounded  invariance  and  bounded  response 

Two  important  classes  of  timing  requirements  for  real-time  systems  can  be  defined  by  temporal 
formulas: 

•  A  bounded^ invariance  property  asserts  that  a  condition  holds  continuously  for  a  certain 
amount  of  time;  it  is  often  used  to  specify  that  something  does  not  happen  for  a  certain 
amount  of  time.  Formally,  we  express  bounded-invariance  properties  by  temporal  formulas 
of  the  form 

P 

for  state  formulas p  and  q  and  /  G  M*  The  formula p  — ^  5  is  S- valid,  for  a  timed  transition 

system  5,  iff  for  all  (initialized)  computations  p  =  of  5  and  all  i  >  0  and  j  >  i, 

if  (Ti  is  a  p-state  and  Jj  <  Tj  +  /, 
then  (Tj  is  a  g-state; 

that  is,  no  p-state  is  followed  by  a  ig-state  within  time  less  than  1.  A  typical  application  of 
bounded  invariance  states  a  lower  bound  I  on  the  termination  of  a  multiprocessing  system  P 
with  the  termination  condition  r:  the  temporal  formula 

ready 

asserts  that,  if  not  started  before  time  t,  then  P  wiU  not  reach  a  final  state  before  time  t  +  /• 

•  A  bounded-response  property  asserts  that  something  happens  within  a  certain  amount  of  time. 
Formally,  we  express  bounded-response  properties  by  temporal  formulas  of  the  form 

P  0<u?, 

for  state  formulas  p  and  q  and  u  G  N .  The  formula  p  ^<u  ?  is  5- valid,  for  a  timed 
transition  system  5,  iff  for  all  (initialized)  computations  p  =  (^^,T)  of  5  and  all  z  >  0, 

if  (Ti  is  a  p-state, 

then  there  is  some  g-state  crj,  with  j  >  such  that  Tj  <  +  u; 

that  is,  every  p-state  is  followed  by  a  g-state  within  time  u.  A  typical  application  of  bounded 
response  states  an  upper  bound  u  on  the  termination  of  a  mtiltiprocessing  system  P  with  the 
termination  condition  r:  the  temporal  formula 

start  -4  0<u  T 

asserts  that  if  all  component  processes  of  P  are  started  synchronously  at  time  t,  then  P  is 
guaranteed  to  reach  a  final  state  no  later  than  at  time  t  +  u.  As  the  runs  of  timed  transition 
systems  are  closed  under  shifting  the  origin  of  time,  we  shall,  without  loss  of  generality, 
henceforth  assume  that  t  =  0. 
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Monotonicity  rules 

We  now  introduce  two  importzint  proof  rules  that  are  5-sound  for  every  timed  transition  system  5. 
The  monotonicity  rule  U-MON  allows  us  to  weaken  any  of  the  three  arguments  of  the  bounded- 
unless  operator: 

U-MON  p  ^  p'  <i>  <t>' 

{p[)>l<f>)  (p'U>;'<^') 

A  second  monotonicity  rule,  O-MON,  weakens  either  argument  of  the  bounded-eventually  operator: 


O-MON  f)  <i>' 

u'  >  u 

(^<u  <t>) 

VI 

It  is  not  hard  to  see  that  both  monotonicity  rules  axe  5-sound  for  every  timed  transition  system  5 . 
Since  propositional  reasoning,  too,  is  5-sound  for  every  system  5,  we  will  refer  to  applications  of 
the  two  weakening  rules  and  propositional  reasoning  in  derivations  through  the  sunple  annotation 
“by  monotonicity.”  For  example,  from  the  bounded-urdess  formula 

p  gU>;r, 

we  can  establish,  by  monotonicity,  both  the  bounded-invariance  formula 

P  -* 

and  the  unbounded  unless  formula 

p  — >  g  U  r. 

Every  unless  formula  can  be  read  as  an  untimed  formula  of  standard  temporal  logic  and  interpreted 
over  state  sequences;  that  is,  it  defines  an  untimed  safety  property. 

6  Bounded-operator  Reasoning 

We  show  how  to  prove  that  a  given  timed  transition  system  5  =  (T,  S,  0,  T,  /,  u)  meets  its  specifica¬ 
tion.  In  particular,  we  present  a  deductive  system  to  establish  the  5- validity  of  bounded-invariance 
and  bounded- response  properties.  The  proof  rules  fall  into  four  categories: 

1.  The  single-step  rules  derive  real-time  properties  that  follow  from  the  lower-bound  or  upper- 
bound  requirement  for  a  sin^e  transition. 

2.  The  transitivity  rules  combine  two  local  real-time  properties  of  the  same  type  —  that  is,  either 
two  boimded-invariance  properties  or  two  bounded-response  properties  —  into  a  composite 
timing  property. 

3.  The  induction  rules  combine  arbitrarily  many  local  real-time  properties  of  the  same  type  into 
a  global  timing  property. 

4.  The  crossover  rules  combine  local  real-time  properties  of  opposite  types  into  a  composite 
tinning  property. 
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6.1  Deterministic  rules 

We  begin  by  presenting  the  bounded-operator  methodology  for  verifying  deterministic  systems 
without  crossover  reasoning:  a  timed  transition  system  S  is  called  deterministic  if  any  two  guards 
that  axe  associated  with  outgoing  edges  of  the  same  vertex  in  the  timed  transition  diagram  represen¬ 
tation  of  5  are  disjoint.  Nondeterministic  systems  require  more  complex  (conditional)  single-step 
reasoning  and  will  be  treated  at  the  end  of  this  section.  Crossover  reasoning  is  deferred  to  Section  8. 

Single-step  rules 

The  single-step  lower-bound  rule  uses  the  minimal  delay  £  I\1  of  a  transition  r  £  7"  to  infer  a 
bounded-unless  formula: 

U-SS  p  — ^  -ienabled{r) 

p  ip 

{ip}T-r{ip} 
ip  ^  q 

[ip  A  enabled{T))  r 
V  ?U>4r 


The  rule  U-SS  derives  a  temporal  (bounded-unless)  formula  from  premises  aU  of  which  are  state 
formulas,  whose  5-vaHdity  typically  is  shown  by  proving  them  generally  valid.  The  state  formula  (p 
is  called  the  invariant  of  the  rule.  Choosing  r  to  be  true,  the  rule  infers  a  bounded- invariance 
property, 

P 

(note  that  the  last  premise  holds  trivially  in  this  case).  To  see  why  the  rule  U-SS  is  5-sound, 
observe  that  whenever  the  transition  r  is  not  enabled,  it  cannot  be  taken  for  at  least  Ir  time  units. 

The  single-step  upper-bound  rule  uses  the  maximal  delay  i6r  £  N  of  a  transition  r  £  T  to  infer  a 
bounded-response  formula: 

O-SS  p  —►  (^  V  g) 

ip  enabled{r) 

{^}T-r{ip  V  g} 

M‘r{g} _ 

_ P  0<Uxg _ 

This  rule  derives  a  temporal  bounded-response  formula  from  prennses  all  of  which  are  state  formulas. 
The  state  formula  tp  is  again  called  the  invariant  of  the  rule.  To  see  why  the  rule  0*SS  is  S-sound, 
recall  that  the  transition  t  has  to  be  taken  before  it  would  be  continuously  enabled  for  more  than 
Ut  time  units. 

To  demonstrate  a  typical  application  of  the  single-step  rules,  we  consider  the  single-process  system 
P  with  the  data  precondition  a:  =  0  and  the  following  timed  transition  diagram: 

{x  =  0} — 
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The  process  P  confirms  that  x  —  0  and  proceeds  to  the  location  £i .  Because  of  the  delay  interval 
[2,3]  of  the  transition  the  final  location  li  cannot  be  reached  before  time  2  and  must  be 

reached  by  time  3  (recaJl  that  P  is  taken  to  start  at  time  0).  Using  single-step  reasoning,  we 
can  carry  out  a  formal  proof  of  this  analysis.  The  bounded-invariance  property  that  P  does  not 
terminate  before  time  2, 

ready  — > 

is  established  by  an  apphcation  of  the  single-step  lower-bound  rule  U-SS  with  respect  to  the  tran¬ 
sition  To-i  (let  the  invariant  ip  be  The  bounded-response  property  that  P  terminates  by 

time  3, 

start  — >  0<3at_£i, 

follows  from  the  single-step  upper-bound  rule  0-SS  with  respect  to  the  transition  To_,i  (use  the 
invariant  atjto  A  2  =  0). 

Transitivity  rules 

To  join  a  finite  number  of  successive  timing  constraints  into  a  more  complicated  real-time  property, 
we  introduce  transitivity  rules.  The  transitive  lower-bound  rule  combines  two  bounded-unless 
formulas: 

U-TRANS  (t>  pU>i,  X 

^  (p  V  g)U>/j+i,  V 

We  refer  to  the  formula  x  ^  of  rule.  The  transitive  upper-bound  rule  combines  two 

bounded-response  formulas: 

O-TRANS  (j)  0<u,  X 

X  -» 

4>  >  ^<Ul-t-U2  V" 

The  formula  x  is  again  called  the  link  of  the  rule.  Both  transitivity  rules  are  easily  seen  to  be 
^-sound  for  every  timed  treinsition  system  5. 

We  demonstrate  the  application  of  the  transitivity  rules  by  examining  the  single-process  system  P 
with  the  following  timed  transition  diagram: 


=  ®[2,3p-®  *2,3°]’  ‘® 

We  want  to  show  that  P  tennmates  not  before  time  4  and  not  after  time  6.  First,  we  prove  the 
lower  bound  on  the  termination  of  P: 

ready  — ► 

By  the  transitive  lower-bound  rule  U-TRANS,  it  suffices  to  show  the  two  premises 

ready  — ^  (-'atw£2)U>2  atJLo,  (1) 
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at  Jo  {-'atJ2)  U>2  true.  (2) 

Both  premises  can  be  established  by  single-step  lower-bound  reasoning.  To  show  the  premise  (1), 
we  apply  the  rule  U-SS  with  respect  to  the  trainsition  using  the  invariant  atJx,o]  the  premise 

(2)  follows  from  the  rule  U-SS  with  respect  to  the  transition  Ti_»2  and  the  invariant  atJo,i. 

The  upper  boimd  on  the  termination  of  P, 

start  — »  0<6atJ2, 

is  concluded  by  the  transitive  upper-bound  rule  O-TRANS.  It  suffices  to  show  the  premises 

start  — >  0<3  {atJi  A  i  =  0), 

{atJi  A  X  =  0)  -*  O<z0iJ2i 

both  of  which  can  be  established  by  single-step  upper-bound  reasoning  (we  use  the  two  invariants 
at  Jo  A  !c  =  0  and  atJi  A  r  =  0,  respectively).  Note  that  for  lower-bound  reasoning  the  link  at  Jo 
identifies  the  last  state  hejore  the  transition  to_*i  is  taken,  while  for  upper-bound  reasoning  the 
link  atJi  A  i  =  0  refers  to  the  first  state  after  to_i  is  taken. 

For  an  example  with  a  (deterministic)  branching  structure,  consider  the  process  P'  with  the  fol- 
lowing  timed  transition  diagram: 


We  show  that  terminates  either  at  time  3  or  at  time  4.  The  proof  requires  a  case  analysis  on 
the  initial  value  of  «c,  which  determines  which  path  of  the  transition  diagram  is  taken.  The  lower 


bound 


ready  — >  Do-nat-^s 


is  implied  by  the  two  bounded-invariance  formulas 


[ready  A  z  =  0)  — + 

{ready  A  a?  ^  0)  Co 

both  of  which  can  be  derived  by  transitive  lower-bound  reasoning  (as  links  use  the  two  state  formulas 
at  A  X  =  0  and  at  J_l,o  A  x  ^  0,  respectively).  The  upper  bound 


start  0<4  atJLz 

follows  by  a  similar  case  analysis  and  transitive  upper-bound  reasoning. 

So  far  we  have  examined  only  single-process  examples.  In  general,  several  processes  that  commu¬ 
nicate  through  shared  variables  interfere  with  each  other.  Consider  the  synchronous  two-process 
shared- variables  multiprocessing  system  with  the  data  precondition  x  =  1  and  the  following  timed 
transition  diagrams: 
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Pi: 
{x  =  l} 
P2: 


X  =  0? 

[2,3] 


dHsf-® 

The  first  process,  Pi,  is  identical  to  a  previous  example;  with  a  minimal  delay  of  2  time  units  and 
a  TnaYimal  delay  of  3  time  units,  it  confirms  that  x  =  0  and  proceeds  to  the  location  l\ .  However, 
this  time  the  value  of  x  is  not  0  from  the  very  beginning,  but  set  to  0  by  the  second  process,  Pj, 
only  at  time  1.  Thus,  Pi  can  reach  its  final  location  l\  no  earlier  than  at  time  3  and  no  later  than 

at  time  4. 

For  a  formal  proof  we  need  the  transitivity  rules.  The  bounded-invariance  property 

ready  — +  Do 

is  established  by  an  appUcation  of  the  transitive  lower-bound  rule  U-TRANS.  It  suffices  to  show 
the  premises 

ready  —*  A  x  =  1), 

A  X  =  1)  — »  {-‘atJ.\)[)>2  true, 

both  of  which  follow  from  single-step  lower-bound  reasoning.  Similarly,  the  transitive  upper-bound 
rule  O-TRANS  is  used  to  show  the  bounded-response  property 

start  — >  at  J\ 

from  the  link  atJ.Q  A  x  =  0. 

Induction  rules 

To  prove  lower  and  upper  bounds  on  the  execution  time  of  program  loops,  we  need  to  combine  a 
state-dependent  number  of  boimded-invariance  or  bounded-response  properties.  For  this  purpose 
it  is  economical  to  have  induction  schemes. 

The  inductive  lower-bound  rule  U-IND  generalizes  the  transitive  lower-bound  rule  U-TRANS; 
it  combines  a  potentially  large  number  of  similar  bounded-unless  formulas  in  a  single  proof  step. 
Assume  that  the  new,  rigid  variable  i  €  V  ranges  over  the  integers  Z;  for  any  n  €  N: 

U-IND  {(pji)  A  i>0)  pU>iip{i-l) 

<p{n)  pU>n.i^(0) 


By  (p{i  -  1)  we  denote  the  state  formula  that  results  from  the  inductive  invariant  ip{i)  by  replacing 
all  occurrences  of  the  variable  i  with  the  expression  i  —  1;  the  formulas  <^(n)  and  V’(O)  obtained 
analogously.  Note  that  every  instance  of  the  rule  U-IND,  for  any  constant  n  €  N,  is  derivable  from 
the  transitive  lower-bound  rule  U-TRANS. 

For  a  demonstration  of  inductive  lower-bound  reasoning,  we  consider  the  following  single-process 
system  P: 
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The  process  P  decrements  the  value  of  x  until  it  is  0,  at  which  point  P  proceeds  to  the  location 
Since  x  starts  out  with  the  value  5  and  each  decrement  operation  takes  at  least  2  time  umts,  while 
the  tests  are  instantaneous,  the  final  location  £2  cannot  be  reached  before  time  10.  This  lower 
bound, 


ready  — »  □<io 


follows  by  transitivity  and  monotonicity  from  the  two  bounded-unless  properties 


ready  —*  [—iat-i2)  U>2  {ai-li  Ax  —  5),  (1) 

{atJ-i  A  I  =  5)  (-iaf-^2)  U>8  A  ®  =  1).  (2) 

The  first  property,  (1),  is  enforced  by  two  single-step  lower  bounds;  the  second  property,  (2),  can 
be  derived  by  the  inductive  lower-bound  rule  U-IND  from  the  premise 


{atjii  Ax  =  i  +  lAi>0)  -*  {-^atJ.2)  U>2  A  x  —  i), 


which  is  concluded  by  transitive  reasoning. 

The  inductive  lower-bound  rule  has  a  twin  that  combines  several  similar  bounded-response  formulas 
by  adding  up  there  upper  bounds  u.  In  fact,  both  induction  rules  can  be  generalized,  by  letting 
the  boimds  I  and  u  vary  as  functions  of  i.  In  its  more  general  form,  we  state  only  the  inductive 
upper-bound  rule.  It  uses  again  a  new,  rigid  variable  i  €  V  that  ranges  over  the  integers  Z;  for  any 
n  e  IM: 

O-IND  jipii)  A  i>0)  ^  0<u.-  <pii  -  1) 

(p{n)  V>(0) 


Every  instance  of  this  rule  is  derivable  from  the  transitive  upper-bound  rule  O- TRANS. 

The  general  form  of  the  inductive  upper-boimd  rule  is  useful  to  prove  upper  bounds  for  programs 
with  loops  whose  execution  time  is  not  uniform.  An  example  for  such  a  system  is  the  followmg 
odd-even  variant  of  the  process  P: 


odd{x)  x:=i-l|[2,2]  [0,0] 

{x  =  5}  • 


a:  7^  0?  [2,3]  €ven{x)  x  x  —  1 

($)  loloT  '  -® 
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The  upper  bound 


start  — >  0<i2  atJ.2 
follows  by  transitivity  from  the  bounded-response  property 

start  —*  C’<i2  {atJ.Q  A  z  =  0), 

which  can  be  concluded  by  the  inductive  upper-bound  rule  O-IND  from  the  premise 

{atJLo  AZ  =  tAi>0)  — >  0<2+e»en(t)  A  X  =■  i  —  l) 

(the  expression  eveTi{i)  evaluates  to  either  1  or  0  depending  on  whether  the  value  of  i  is  even).  This 
bounded-response  formula  follows  from  transitive  reasoning. 

6.2  Conditional  rules 

Unfortunately,  the  proof  rules  we  have  designed  are  not  strong  enough  to  show  tight  bounds  on 
nondeterministic  systems.  To  see  this,  consider  the  following  nondeterministic  variant  P  of  a 
process  encountered  previously: 


As  before,  P  terminates  either  at  time  3  or  at  time  4.  However,  during  an  execution  of  P,  one  of 
the  two  transitions  to_,i  and  to_.2  is  chosen  nondetermimstically.  Thus  we  cannot  carry  out  a  case 
analysis  with  respect  to  a  state  formula  that  selects  a  unique  guard.  Instead,  we  proceed  in  two 
steps.  First  we  establish  an  untimed  safety  formula  that  enumerates  all  possible  nondeterministic 
choices.  Then  we  decorate  the  unbounded  temporal  formula  with  time  bounds. 

Step  1  To  establish  the  5-validity  of  a  temporal  formula  <t>  that  contains  only  unbounded  unless 
operators  (i.e.,  U>o ),  it  suffices  to  show  that  (f>  is  true  over  all  run  fragments  of  the  untimed 
transition  system  S~  that  underlies  5.  This  can  be  achieved  with  the  help  of  any  conventional 
timeless  proof  system  (for  instance,  the  proof  system  given  in  [MP83]). 

For  example,  to  derive  the  lower  bound  3  on  the  termination  of  our  example  P,  we  show  the  untimed 
formula 

ready  {{atJx  U+  at  Jo  U+  atJi)  V  [atJ^  U+  at  Jo  U+  atJi))  (t) 

(nested  unless  operators  associate  to  the  right). 

Step  2  To  add  time  boimds  to  this  disjimction  of  nested  unless  formulas,  we  need  conditional 
single-step  rules.  They  establish  single-step  real-time  bounds  under  the  assumption  that 
a  particular  disjunct  has  been  chosen.  The  time  bounds  can,  then,  be  combined  by  the 
transitivity  rules. 
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Nondeterministic  lower  bounds 

The  conditional  single-step  lower-bound  rule  uses  the  minimal  delay  G  N  of  a  transition  t  eT: 

U-CSS  P  -*  -^enabled{T) 

_ {g}T-  T{g  V  -'T-}  _ 

(pU|,gU+ (r  A  (^))  ^  (r  A  ^)) 

The  rule  U-CSS  is  5-sound  for  any  temporal  formula  <t>. 

In  our  example,  we  use  the  conditional  single-step  lower-bound  rule  U-CSS  with  respect  to  the 
transitions  tq-i  and  to_^2  to  derive  the  conditional  single-step  bounds 

(atJxU+atJoU+atJa)  —  (at-^x  at-£o  U 
They  allow  us  to  conclude,  from  (f), 

ready  ^  {{atJx  U+  at  Jo  U^j  atA)  V  (at-^x  U+  at  Jo  Uj^  atJ^)).  (t) 

To  collapse  nested  bounded-unless  operators,  we  use  the  temporal  formula  U-COLL: 

U-COLL  (pU>;i  gU>;2  <l>)  ((P  V  g)  ^>h+h  <f>) 

Note  that  this  temporal  formula,  which  is  generally  valid,  can  be  derived  by  from  transitive  lower- 
bound  rule  U-TRANS  by  using  the  two  tautologies 

(pU>ii  gU>ij  -♦  (pU>Ji  gU>ij  ^), 

(gU>,*^)  -  (gU>,,^). 

From  (t)  we  obtain  by  collapsing  and  monotonicity 

ready  ((ot  Jx.o  U|j  at  Jj)  V  (at-^x,o  Ujj  at  Jj)); 
that  is,  using  the  (untimed)  validity  p  U  true  and  monotonicity, 

ready  -*  ((atJx.o  Ujj  atJi  U+  true)  V  (at Jx.o  U>i  U+  true)). 

Adding  conditional  single-step  lower  bounds  for  the  transitions  ti_+3  and  T2_»3  gives 
ready  -*  ((atJ^.o  U$2  Uji  inie)  V  (at  Jx,o  Uji  at  J2  Ujj 
and  by  collapsing  and  monotonicity  we  finally  arrive  at  the  desired  bounded-invariance  property 

ready  □<3-iot_Z3. 
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Nondeterministic  upper  bounds 

Conditional  upper-bound  reasoning  does  not  require  the  nesting  of  unless  operators.  The  condi¬ 
tional  single-step  upper-bound  rule  uses  the  maximal  delay  6  M  of  a  transition  r  £T: 


O-CSS  p  enabled{r) 

{p}r{“ip} _ 

(p  U  ^  ^ 


Clearly,  the  rule  O-CSS  is  5-sound  for  any  temporal  formula  (f).  Note  that  the  second  premise  of 
this  rule  is  trivially  valid  if  r  becomes  disabled  by  being  taken,  as  is  the  case  for  all  transitions  of  a 
timed  transition  system  that  is  given  by  timed  transition  diagrams  (recall  that  we  have  ruled  out 
self-loops  in  transition  diagrams).  It  is  also  worth  pointing  out  that  both  conditional  lower-bound 
and  conditional  upper-bound  reasoning  rely  only  on  assumptions  that  are  built  only  from  state 
formulas  by  positive  boolean  connectives  and  unbounded  unless  operators  and,  therefore,  define 
untimed  safety  properties.  Accordingly,  the  first  step  of  conditional  reasoning  can  be  carried  out 
by  any  un timed  method  for  deriving  safety  properties. 

To  derive  the  upper  boimd  4  on  the  termination  of  our  example  P,  we  show  first  the  untimed 
formula 

start  — (^(^atjto[}atJ.i)  V  (at-fo  U  at-^2))- 

By  the  conditional  single-step  upper-bound  rule  O-CSS  with  respect  to  the  transitions  ro_i  and 
ro-.2j  we  derive  the  conditional  single-step  bounds 

{atjio  U  aiJ^i)  — ^  0<2  atJi, 

[atjto  U  atJ,2)  0<2  atJ,2^ 

They  allow  us  to  conclude 

start  (^<2  V  0<2  aiJ^2)- 

Now  we  can  proceed  by  unconditional  upper-bound  reasoning  to  arrive  at  the  desired  bounded- 
response  property 

start  0<4  at  J3. 

7  Explicit-clock  Reasoning 

None  of  our  state  formulas  is  able  to  refer  to  the  value  of  the  time,  because  the  only  real-time 
references  that  are  admitted  in  temporal  formulas  are  time  bounds  on  temporal  operators.  In  this 
section,  we  investigate  the  consequences  of  extending  the  notion  of  state,  by  adding  a  variable  t 
that  represents,  in  every  state,  the  current  time.  This  extension  is  interesting,  because  once  we  are 
given  explicit  access  to  the  global  clock  through  the  clock  variable  t,  both  bounded-invariance  and 
bounded-response  properties  can  alternatively  be  formulated  as  unbounded  unless  formulas  and, 
consequently,  be  verified  by  conventional  timeless  techniques  for  establishing  safety  properties  of 
transition  systems. 
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7.1  Explicit-clock  transition  systems 

Let  5  =  be  a  timed  transition  system.  We  introduce  the  following  new  variables: 

•  A  clock  variable  t  that  ranges  over  the  integers  Z;  it  records,  in  every  state  Oi  of  a  computation 
p  =  (<r,T),  the  corresponding  time  Tj. 

•  For  every  transition  t  ^  T,  b.  delay  counter  6r  that  ranges  over  the  set  {0, 1, . .  •  Ur}  of 
nonnegative  integers;  it  records,  in  every  state  of  a  computation,  for  how  many  clock  ticks 
the  transition  t  has  been  continuously  enabled  without  being  taken.  We  write  short  for 

The  explicit-clock  transition  system  =  (F*,!:',  0‘,T*)  associated  with  S  is  defined  to  be  the 
following  untimed  transition  system: 

1.  F'  =  F  U  {t}  U  {^r  1  T  e  T}. 

2.  E‘  contains  all  interpretations  of  F*.  Thus,  every  state  €  E”  of  S‘  is  a  tuple  that  contains 
a  state  <r"  €  E  of  5,  a  value  <r(t)  6  N  for  the  clock  variable  t,  and  a  value  (r(6r)  €  N  for  each 
delay  counter  Sr- 

3.  A  state  of  S"  is  initial  iff  it  extends  an  initial  state  of  5: 

r  G  ©"  iff  O’”  €  0. 

4.  Every  transition  of  5  is  extended:  T"  contains,  for  every  r  e  T,  a  transition  t“  such  that 

e  t’  iff  for  aU  r'  €  T, 

(O’l,0’2)  €  T, 

Cl{6r)  >  Ir, 

J  a^{8r')  if  t' 7^  r  and  t' is  enabled  on  02, 

~  i  0  otherwise. 

The  second  clause,  <Tl{6r)  >  Ir,  enforces  all  lower-bound  requirements. 

In  addition,  T*  contains  the  idle  transition  rf  and  the  tick  transition  r^.,  which  advances 
time:  €  rf.  iff  for  al  t'  G  T, 

<Ti  =  0-2, 

/  ^  if  t'  7^  T  and  r'  is  enabled  on  02, 

®’2(^r')  ~  I  0  otherwise. 

The  last  clause  enforces  all  finite  upper-bound  requirements. 

From  S”  we  obtain  a  fair  transition  system  ([MP89a])  by  adding  the  foUowing  fairness  requirements: 
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5.  A  weak-faimess  (justice)  assumption  stipulates  that  a  transition  cannot  be  continuously  en¬ 
abled  without  being  taken.  Let  the  weakly-fair  extension  of  S~  be  the  fair  transition 
system  that  is  obtained  from  5'  by  adding  a  weah-faimess  assumption  for  every  transition  r" 
if  T  has  a  maximal  delay  oo . 

6.  A  strong-fairness  assumption  stipulates  that  a  transition  cannot  be  enabled  infinitely  often 
without  being  taken.  Let  the  strongly-fair  extension  of  S'  be  the  fair  transition  system 
that  is  obtained  from  by  adding  a  strong-fairness  assumption  for  the  tick  transition  rj. 

It  is  not  hard  to  see  that  the  timed  transition  system  S  and  the  fair  exphcit-clock  transition  system 

are  related  in  the  following  way: 

•  For  every  initialized  computation  (c,  T)  of  S,  there  is  an  infinite  state  sequence  a  with 
(cT-*)-  =  a  and  o-*(t)  =  T  such  that  cr'  is  an  initiahzed  computation  of  (in  the  first  state 
of  <r“,  choose  the  delay  counters  of  all  enabled  transitions  larger  than  aU  minimal  delays  of 
5;  otherwise,  let  all  delay  counters  record  the  times  that  the  corresponding  transitions  have 
been  enabled). 

•  For  every  initialized  computation  a  of  S^,  the  timed  state  sequence  (cr“,  cr(t))  is  an  initialized 
computation  of  5. 

7.2  Explicit-clock  formulas 

We  now  translate  every  bounded-invariance  and  bounded-response  formula  (f  over  V  into  an  im- 
timed  unless  formula  fT  that  contains  the  clock  variable  t.  The  explicit-clock  formula  (p‘  is  con¬ 
structed  such  that  it  it  5”-valid  iff  ^  is  5- valid: 

•  The  explicit-clock  translation  of  the  bounded-invariance  formula  p  ^  □<!  q  is 

(p  A  t  =  r)  ^  ?u(t>r  +  /), 

for  a  new,  rigid  variable  T  €  V  that  ranges  over  Z  (recall  that  V  supplies  suitable  variables 
that  occur  neither  in  the  description  of  5  nor  in  p  or  g). 

•  The  explicit-clock  translation  of  the  bounded-response  formula  p  —*  0<u  q  is 

(p  A  t  =  T)  (t<T-|-u)Ug. 
for  a  new,  rigid  variable  T  eV  that  ranges  over  Z. 

Both  unless  formulas  use  the  rigid  variable  T  to  record  the  tune  of  the  p-state.  In  the  case  of 
bounded-response  properties,  the  explicit- clock  translation  exploits  the  fact  that  the  tune  is  guar¬ 
anteed  to  reach  and  surpass  T  +  u,  for  any  value  of  T.  We  emphasize  that  neither  of  the  state 
formulas  p  and  q  may  contain  free  occurrences  of  the  clock  variable  or  any  of  the  delay  counters. 

From  the  correspondence  between  the  computations  of  the  timed  transition  system  S  and  the  fair 
explicit-clock  transition  system  it  follows  that  the  explicit- clock  formula  <t>'  is  F-^-valid  iff  <t>  is 
5-vaJid.  Indeed,  since  the  exphcit-clock  translations  of  bounded-invariance  and  bounded-response 
properties  are  safety  formxilas,  there  is  no  need  to  add  fairness  assumptions  to  the  exphcit-clock 
transition  system: 

(f)'  is  S*-vahd  iff  ^  is  S-vahd. 
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7.3  Untimed  temporal  reasoning  about  real  time 

This  result  leads  to  an  alternative  and  quite  different  approach  to  the  verification  of  real-time 
properties:  to  prove  the  S- validity  of  a  real-time  property  (j)  (over  V),  we  establish  instead  the 
^■-validity  of  the  untimed  safety  formula  r  (over  F').  To  show  the  unbounded  unless  formidas 
that  result  from  translating  bounded-invariance  and  bounded-response  properties,  a  smgle  tune  ess 
unless  rule  suffices  ([MP83]): 


UNLESS  p  {tpy  r) 
{¥>}  T'  {<p  V  r} 
V  -*  9 _ 


We  point  out  that  all  three  premises  of  the  unless  rule  are  state  formulas  over  the  a.ugmented  set 
V'  of  variables;  their  5'‘-validity  typically  is  shown  by  proving  them  generally  valid.  The  state 
formula  ip  is  called  the  invariant  of  the  rule,  because  the  main  (i.e.,  second)  premise  asserts  that  p 
is  preserved  by  all  transitions  of  the  system  S’  (unless  the  desired  state  condition  r  is  estabhshed). 

To  demonstrate  this  kind  of  “explicit-clock”  real-time  reasoning,  consider  again  the  smgle-process 
system  P  with  the  data  precondition  i  =  0  and  the  following  timed  transition  diagram: 

{x  =  0} - ^ 


The  lower  bound  on  the  termination  of  P , 

ready  — > 

is  translated  into  the  explicit-clock  formula 

{ready  A  t.  =  T)  {-latUi)  U  (t  >  T  +  2), 
which  can  be  derived  by  the  unless  rule  from  the  invariant 

{aiJ±  A  t  >  T)  V  {aiJto  A  t  >  T  +  60^1) 

(recall  that  the  delay  counter  ^o-*i  of  the  transition  to_i  ranges  over  the  set  {0,1, 2, 3}  only).  The 
upper  bound  on  the  termination  of 

start  0<3af-£i, 

is  translated  into  the  untuned  unless  formula 

{start  A  t  =  T)  (t  <  T  +  3)U  atJi, 
which  can  be  concluded  by  the  unless  rule  from  the  invariant 

aUo  Ax  =  0AT<t<T  +  3At  <  T-f  «o-i. 
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8  Completeness 

The  unless  rule  is  known  to  be  complete,  relative  to  state  reasoning,  for  establishing  unless  formulas, 
provided  the  underlying  data  types  and  the  assertion  language  are  sufficiently  powerful  to  encode 
runs  of  transition  systems  ([MP83]).  From  the  results  of  the  previous  section  it  follows  immediately 
that  exphcit-clock  reasoning  is  relative  complete  for  showing  bounded-invariance  as  well  as  bounded- 
response  properties.  As  for  bounded-operator  reasoning,  we  first  show  relative  completeness  in  the 
case  that  all  real-time  constraints  are  either  lower  bounds  or  upper  bounds.  This  case  does  not 
require  crossover  reasoning.  Then  we  present  crossover  rules  to  combine  lower-bound  and  upper- 
botmd  constrsdnts. 

8.1  Crossover-free  reasoning 

Given  a  timed  transition  system  5,  we  assume  that  all  untimed  safety  properties  of  S  can  be  derived; 
that  is,  we  assume  an  untimed  proof  system  that  is  complete  for  timeless  safety  reasoning.  Although 
such  a  proof  system  cannot  exist  for  most  data  domains,  there  are  temporal  proof  systems  that  are 
complete  relative  to  state  reasoning  ([MP89b]).  In  addition,  we  suppose  that  the  nontrivial  timing 
constraints  of  5  are  either  all  minimal  delays  or  all  maximal  delays.  The  following  theorem  shows 
that  under  these  assumptions,  our  boimded-operator  rules  can  derive  every  bounded-invariance  and 
bounded-response  property  of  S. 

Theorem.  Let  S  =  {V,'Z,Q,T,l,u)  be  a  timed  transition  system  such  that  either  1^  =  0  for  all 
T  £  T  or  Ur  =  oo  for  all  r  £  T.  Let  ft  be  a  bounded-invariance  or  a  bounded-response  formula. 
If  (f)  is  S -valid,  then  it  can  be  derived  by  the  monotonicity,  transitivity,  and  conditional  single-step 
rules  relative  to  untimed  safety  reasoning. 

Proof.  (1)  Suppose  that  all  maximal  delays  of  5  are  oo.  First  we  observe  that,  under  the  given 
restrictions,  untimed  reasoning  is  complete  for  untuned  properties  of  S .  This  is  because,  in  the 
absence  of  finite  maximal  delays,  there  is  a  time  sequence  T  for  every  computation  cr  of  the  untuned 
weakly-fair  transition  system  SJ^  that  underlies  S  such  that  (u,  T)  is  a  computation  of  5  (choose 
all  time  steps  large  enough).  It  follows  that  any  untimed  temporal  formiila  that  is  5- valid  is  also 
Sj -valid  and,  thus,  can  be  established  by  untimed  resisoning. 

Any  boimded-response  property  is  either  trivially  not  5-valid  or  can  be  estabhshed  by  untimed 
safety  reasoning.  Now  suppose  that  the  bounded-invariance  property 

P  ->  (1) 

is  5-valid;  we  show  that  it  can  be  derived  within  our  proof  system.  The  main  idea  is  to  see  that 
in  order  for  (1)  to  be  valid,  for  any  p-state  in  an  initialized  computation  of  5  there  has  to  be  a 
sequence  of  nonoverlapping  single-step  lower  bounds  that  add  up  to  at  least  I  before  a  5-state  can 
be  reached.  We  show  that  there  are  only  finitely  many  such  ways  in  which  a  5-state  can  be  delayed 
for  I  time  units;  hence  they  can  be  emunerated  by  a  single  untimed  formula. 

Consider  an  arbitrary  computation  p  =  (o’,T)  of  5  such  that  Uj,  for  i  >  0,  is  a  p-state.  Let  Oj  be 
the  first  5-state  with  j  >  i]  if  no  such  state  exists,  let  j  =  00.  We  write  for  the  transition  that  is 
completed  at  position  jfc  >  0  of  p.  A  lower-bound  /-constraint  pattern  for  is  a  finite  sequence 
of  nonoverlapping  single-step  lower  bounds  between  i  and  j  that  add  up  to  at  least  /.  Formally, 
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a  constraint  pattern  C  is  a  sequence  of  transitions  Tjj , . . .  Ti„ .  The  pattern  C  is  a  lower-bound 
Z-constrciint  pattern  iff 

E  k  2 

l<k<n 

it  is  a  lower-bound  constraint  pattern  for  ai„j  iff 

(a)  i  =  to  <  <  •  ■  •  <  in  <  J  and 

(b)  for  all  1  <  ifc  <  n,  the  transition  is  not  enabled  on  some  state  crji^  such  that 

4-1  <  3k  <  4- 

A  lower-bound  constraint  pattern  for  (Xi^j  can  be  visualized  by  annotating  the  computation  p  with 
backward  arrows  that  represent  single-step  lower  bounds: 


Two  constraint  patterns  are  equivalent  iff  one  is  a  subpattem  of  the  other  (i.e.,  can  be  obtained  by 
omitting  transitions).  It  is  not  hard  to  show  the  following  two  properties  of  lower-bound  constraint 
patterns: 

Property  A  There  is  a  lower-bound  /-constraint  pattern  for  (Ti,_j  (use  the  truth  of  (1)  over  the 
i-th  sufBx  of  p). 

Property  B  There  are  only  finitely  many  different  equivalence  classes  of  lower-bound  /-constraint 
patterns. 

We  add,  for  every  transition  r  €  T,  the  boolean  variable  completed^  to  our  language;  it  is  intended 
to  be  tine  in  a  state  ai,  for  i  >  0,  of  a  computation  p  =  ((7,t)  iff  the  transition  r  is  completed 
at  position  i  of  p.  For  our  purpose,  it  turns  out  to  be  sufficient  that  completed^  satisfies  the  two 

axioms 

{true}  T  {completed^}, 

{true}  T  —  T  {-I completed^}.  (t) 

By  Property  A,  there  is  an  untimed  formula  of  the  form 

(->9)  U  {-yq  A  -yenabled{ri,))  U+  (^3)  U+  (-.3  A  completed^.^)  \J+  . . . 

U'*'  (-13  A  completed^.^ ) 

that  is  true  over  the  t-th  suffix  of  p.  Since  there  are,  by  Property  B,  only  finitely  many  formulas 
of  this  form,  p  —*  tp  for  some  finite  disjunction  ip  of  nested  unless  formulas  is  S-valid  and,  thus, 
given  by  untimed  safety  reasoning.  From  (f)  we  infer  by  the  conditional  single-step  lower-bound 
rule  U-CSS  with  respect  to  any  transition  r  G  T  that 

[-ienabled{T))  (f  U"''  {completed^  ^  <P) 

(penabledir))  [completed^  A  4>) 
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for  any  state  formula  (p  and  temporal  formula  <!>.  Hence  we  can  decorate  the  untimed  nested 
imless  formula  with  time  bounds.  By  repeated  coILapsing  and  monotonicity  sumlax  to  the  sample 
lower-bound  derivation  of  Subsection  6.2,  we  arrive  at  the  desired  bounded-invariance  property  (1). 

(2)  Now  suppose  that  all  minimal  delays  of  5  are  0;  the  proof  proceeds  similarly  to  the  previous 
case.  Untimed  reasoning  is  complete  for  untuned  properties  of  5,  because  S  is  operational.  Any 
bounded-invariance  property  is  either  trivially  not  S-valid  or  can  be  established  by  untuned  safety 
reasoning.  So  let  us  assume  that  the  bounded-response  property 

p  0<uQ  (2) 

is  5- valid.  Consequently,  every  p-state  in  an  initialized  computation  of  5  has  to  be  followed  by  a 
g-state  that  can  be  reached  by  a  sequence  of  overlapping  single-step  upper  bounds  that  add  up  to 
at  most  u.  We  visualize  single-step  upper  bounds  by  forward  arrows: 


ii  12 


j 

Formally,  let  p  =  (o’lT)  be  a  computation  of  5  such  that  Ci,  for  i  >  0,  is  a  p-state,  and  let  aj  be 
the  first  g-state  with  j  >  i.  For  the  sake  of  sunphcity,  we  assume  that  the  transition  tj.,  which  is 
completed  at  the  position  >  0  of  p,  is  not  enabled  on  (Tj^  (otherwise  split  t^.  into  two  identical 
transitions  with  different  names).  A  constraint  pattern  t^j,  —  is  an  upper-bound  u-constraint 
pattern  iff 

l<fc<n 

it  is  an  upper-bound  constraint  pattern  for  (Ti,.j  iff 

(a)  i  =  io  <ii  <■■■  <  in-i  <  3  <  in  and 

(b)  for  all  1  <  Jfc  <  n,  the  transition  is  enabled  but  not  completed  at  all  states 
such  that  ik-i  <  jk  <  ik- 

It  is  not  hard  to  see  that  upper-bound  constraint  patterns,  too,  satisfy  two  crucial  properties: 

Property  A  There  is  an  upper-botmd  u-constraint  pattern  for  tri.,j  (use  the  truth  of  (2)  over  the 
i-th  suffix  of  p). 

Property  B  There  axe  only  finitely  many  different  equivalence  classes  of  upper-botmd  u-constraint 
patterns  (use  the  operationality  oi  S). 

By  Property  A,  there  is  an  untimed  formula  of  the  form 

(enabled{Ti^)  A  -icompleied^.  )[)  {enabledlri^)  A  -icompleted^.^)\}  ... 

U  {enabled{Ti^)  A  completed q 

that  is  true  over  the  i-th  suffix  of  p.  By  Property  B,  there  is  again  a  finite  disjunction  V’  of 
nested  unless  formulas  such  that  the  implication  p -*  ip  is  S- valid  and,  therefore,  given  by  untimed 
safety  reasoning.  By  repeated  application  of  the  conditional  single-step  upper-bound  rule  O-CSS, 
transitivity,  and  monotonicity,  we  arrive  at  the  desired  bounded-response  property  (2).  More 
specifically,  to  coUapse  nested  bounded-eventually  operators,  we  can  use  the  valid  temporal  formula 
O-COLL,  which  is  derivable  from  the  transitive  upper-bound  rule  O-TRANS: 


a:  H 
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O-COLL  ('C><uj  *  ^<ui+u2  ^ 


8.2  Crossover  reasoning 

So  far,  we  have  used  lower-bound  rules  to  derive  bounded-invariance  properties  and  we  have  used 
upper-bound  to  derive  bounded-response  properties.  In  general,  the  situation  is  more  complicated. 
both  the  lower-bound  and  the  upper-bound  rules  may  be  necessary  to  derive  a  bounded-invariance 
(or  bounded-response)  property.  Indeed,  we  may  need  additional  crossover  rules,  which  combme 
lower-bound  and  upper-bound  requirements. 

example:  Race  condition 

The  need  for  crossover  rules  can  be  illustrated  by  a  multiprocessing  system  that  looks  innocent 
at  first  glance  but  turns  out  to  be  rather  intricate,  because  its  execution  time  depends  on  an 
interesting  interplay  of  the  minimal  delays  and  the  maximal  delays  for  transitions  that  belong  to 
different  processes.  This  increment-decrement  system  is  defined  by  the  following  tuned  transition 
diagram: 


We  wish  to  analyze  the  worst-case  (maximal)  running  time  of  the  synchronous  two-process  shared- 
variables  multiprocessing  system 

{x  =  l,y  =  0}[Pil|,P2]. 

Note  that  the  first  process,  Pi,  consumes  the  maximal  amount  of  time  if  its  first  loop,  in  which 
the  value  of  y  is  incremented,  is  executed  as  often  (fast)  as  possible  11  times:  the  control  of  Pi 
may  enter  the  first  loop  11  times  before  and  at  time  10,  the  latest  time  at  which  the  second  process 
closes  the  loop,  and  it  may  spend  another  10  time  units  in  the  first  loop  after  the  guard  has  been 
reversed.  In  this  worst  (slowest)  case,  the  first  loop  is  left  at  time  20  with  y  =  W  and,  thus,  the 
second  loop  may  use  up  no  more  than  110  time  units.  It  foUows  that  Pi  terminates  by  time  130. 

Assuming  that  assignments  cost  at  least  2  tune  units  (instead  of  1),  tests  still  being  free,  the 
maximal  value  of  y  would  be  only  6,  implying  termination  by  time  80.  the  increase  of  individ¬ 
ual  lower  bounds  decreases  the  composite  upper  bound!  This  phenomenon  vividly  demonstrates 
that  real-time  reasoning  amounts  to  more  than  simply  adding  up  minimal  delays  or  maximal  de¬ 
lays  of  individual  transitions;  it  shows  that  lower-bound  and  upper-bound  requirements  are  not 
independent,  but  may  jointly  affect  the  global  time  bounds  for  the  execution  time  of  a  system. 
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Let  us  now  formally  prove  the  upper  bound  130  on  the  termination  of  Pi  by  explicit- clock  reasoning. 
To  simplify  the  derivation,  we  may  assume  that  both  processes  start  simultaneously  at  time  0.  Then 
we  can  infer  the  exphcit-clock  formula 

{start  A  t  =  ^^_i  =  ^^^1  =  0)  (t  <  130)  U  atJ] 

by  the  unless  rule  from  the  following  global  invariant: 

{aUl  A  aiJl  A  (y  =  t  =  =  0  V  1  <  y  <  t  =  V 

(af  A  atJ-l  A  y  +  <  t  =  ^o—i) 

{atJl  A  atJl  A  1  <  y  <  11  A  t  <  20)  V 

{atJ\  A  atJl  A  y  <  10  A  t  <  10  +  V 

{atJl  A  atJt\  A  y  <  11  A  t  +  lOy  <  130)  V 

{aUl  A  atJ-l  A  1  <  y  <  11  A  t  +  lOy  <  130  +  ^^^a)- 

This  proof  of  timely  termination  resembles  a  mechanical,  exhaustive  case  ansilysis  of  all  possible 
state-time  combinations  that  can  occur  during  an  execution  of  the  two  processes  of  the  incremeni- 
decTement  system.  The  bounded- operator  proof  of  the  desired  bound  on  ternunation,  on  the  other 
hand,  closely  follows  the  intuitive  argument  we  outlined  above. 

Crossover  rules 

To  mimic  the  informal  argument  for  the  timely  termination  of  the  incTemeni-decrement  system  by 
a  bounded-operator  proof,  we  use  the  crossover  upper-bound  rule: 

0-MIX  u  <  I 

p  0<uP 
g  -y  □<,  g 
{p}{T-ri)-{q} 
p  ^  ready 
p  -*•  0<u  {p  A  q) 

This  rule  is  a  modification  of  the  temporal  formula 

(0<uP  A  n^iq)  0<„(p  A  g), 

which  is  valid  if  u  <  /.  The  more  complicated  form  of  the  rule  is  needed,  because  reasoning 
about  lower  bounds  and  reasoning  about  upper  bounds  are  asymmetric:  while  bounded-invariance 
formulas  refer,  intuitively,  to  the  leist  state  before  a  transition  is  taken,  bounded-response  formulas 
refer  to  the  first  state  after  a  transition  is  taken.  This  dichotomy  is  captured  by  the  inverse 
verification  condition 

{p}(T-r^)-{g}, 

which  reqmres  that  in  any  computation  p  =  (<r,T)  of  S,  if  <Ti+i  is  a  p-state  and  tri+i  Oi,  then  Oi 
is  a  g-state.  Also  observe  that  every  computation  of  5  whose  first  state  falsifies  the  ready  condition 
is  the  suffix  of  another  computation  of  5  whose  first  state  satisfies  ready.  The  5-soundness  of  the 
rule  O-MIX  follows. 


We  give  here  only  a  brief  sketch  of  the  bounded-operator  proof  for  the  bounded-response  property 

start  ^<130  (itJ\ 


of  the  increment-decrement  system.  The  derivation  relies,  as  expected,  on  an  interplay  of  lower- 
bound  and  upper-bound  rules.  First  we  show  that  within  10  time  units  Pi  can  increase  the  value 
of  y  at  most  to  10: 

ready  — ♦  □<!!  (y  <  10); 


this  is  done  by  inductive  lower-bound  reasoning.  Then  we  apply  the  crossover  upper-boimd  rule 
O'MIX  to  the  single-step  upper  bound 


start  — >  0<io(a<-^i  A  i  =  0), 


thus  obtaining  the  bounded-response  property 

start  — >  ^<10  (y  ^  10  A  at-ij  A  a:  =  0). 

Prom  here  we  proceed  by  pure  upper-bound  reasoning,  performing  a  case  analysis  on  the  locations 
of  Pi. 

While  the  crossover  upper-bound  rule  combines  a  bounded-invariance  property  and  a  bounded- 
response  property  into  a  bounded-response  property,  its  counterpart,  the  crossover  lower-bound 
rule,  yields  a  bounded-unless  property: 


U-MIX  u<l 

p  □<IP 

q  0<u? 

{p}T  -Ti{q} 

q  ->  (gU  (g  A  ->p)) 

P  (pU>;g) _ 

This  rule  is  5-sound,  because  it  originates  with  the  valid  temporal  formula  (for  u  <  1) 

(□</p  A  0<u(?U(g  A  -np)))  ^  (pU>jg). 

Note  that  the  last  premise,  which  contains  only  an  unbounded  unless  operator,  can  be  established 
by  untimed  reasoning. 

The  crossover  lower-bound  rule  U-MIX  can  be  used  to  derive  the  lower  bound 

ready  — ^  □<2 

of  the  increment-decrement  system. 
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9  Conclusions 


The  increment-decrement  example  illustrates  the  trade-off  between  bounded-operator  reasoning 
and  exphcit-clock  reasoning  beautifully.  Compare  the  two  proofs  of  the  upper  bound  on  termi¬ 
nation:  while  the  bounded-operator  (or  “hidden-clock”)  style  of  real-time  verification  refers  to 
time  only  through  the  relative  offsets  of  time-bounded  temporal  operators,  the  explicit- clock  style 
uses  ordinary  untimed  temporal  operators  and  refers  to  the  absolute  time  in  state  formulas.  Both 
styles  trade  off  the  complexity  of  the  temporal  proof  structure  against  the  complexity  of  the  state 
invariants: 

•  The  hidden-clock  approach  relies  on  complex  proof  structures  similar  to  the  proof  lattices 
for  establishing  ordinary  (untimed)  liveness  properties  ([OL82],[MP84])  and  uses  relatively 
simple  local  invariants. 

•  The  explicit-clock  method  employs  only  the  plain  unless  rule  —  an  (untimed)  safety  rule  — 
but  requires  a  powerful  global  invariant. 

Open  problems 

There  are  several  obvious  problems  that  have  been  left  open  in  this  paper.  Firstly,  we  pre¬ 
sented  bounded- operator  proof  rules  and  exphcit-clock  translations  for  the  verification  of  bounded- 
invariance  and  bounded-response  properties  only.  In  a  next  step  we  wish  to  classify  more  complex 
real-time  properties  to  obtain  a  hierarchy  of  real-time  properties  similar  to  the  untuned  hierarchy 
of  temporal  properties  ([MP90]).  Then  we  may  look  for  proof  methods  for  all  classes  of  properties 
in  the  real-time  hierarchy. 

Secondly,  we  showed  relative  completeness  of  bounded-operator  reasoning  only  in  the  case  that 
the  lower  boimds  and  the  upper  bounds  do  not  interfere  with  each  other.  The  power  of  bounded- 
operator  reasoning  in  the  general  case  remains  to  be  studied.  We  suspect  that  history  information, 
say,  in  form  of  bounded  past  temporal  operators  is  necessary  to  achieve  relative  completeness  in  the 
general  cEtse.  Note  that  some  information  about  the  past  of  a  state  in  a  computation  is  available 
in  explicit-clock  reasoning,  namely,  in  form  of  the  delay  counters. 

Thirdly,  and  perhaps  most  importantly,  we  used  the  discrete  time  domain  of  the  integers.  This 
does  not  necessarily  mean  that  all  events  happen  at  integer  points  in  time,  only  that  the  time  of 
events  is  recorded  by  a  fictitious  digital  clock  with  finite  precision  ([Hen91b]).  While  verification 
may  be  more  difficult,  even  impossible,  in  a  continuous  model  of  time  ([AH90]),  preliminary  results 
indicate  that  in  the  case  of  timed  transition  systems,  on  one  hand,  and  bounded-invariance  and 
bounded-response  properties,  on  the  other  hand,  many  of  the  techniques  that  we  developed  can  be 
carried  over  to  dense  and  continuous  time  domains. 
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